Link: Self-sent PDF lure with subject correlation
Detects messages sent from a user to themselves containing bold PDF links where the link text correlates with the subject line or sender domain, potentially indicating a compromised account or social engineering technique.
Sublime rule (View on GitHub)
1name: "Link: Self-sent PDF lure with subject correlation"
2description: "Detects messages sent from a user to themselves containing bold PDF links where the link text correlates with the subject line or sender domain, potentially indicating a compromised account or social engineering technique."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // self sender
8 and (
9 length(recipients.to) == 1
10 and recipients.to[0].email.email == sender.email.email
11 )
12 // bold a tags ending in PDF
13 and any(html.xpath(body.html, '//a[./b]').nodes,
14 strings.iends_with(.display_text, ".pdf")
15 and (
16 // subject appears as the .pdf link
17 any(regex.extract(subject.base, '(?P<word>\w+)'),
18 strings.contains(..display_text, .named_groups["word"])
19 )
20 // OR sender domain appears as the pdf link
21 or strings.icontains(.display_text, sender.email.domain.sld)
22 )
23 // we should NOT match urls
24 and strings.parse_url(.display_text, strict=false).url is null
25 and not any(.links, strings.iends_with(.href_url.path, '.pdf'))
26 )
27
28attack_types:
29 - "BEC/Fraud"
30 - "Credential Phishing"
31tactics_and_techniques:
32 - "Social engineering"
33 - "Evasion"
34detection_methods:
35 - "Header analysis"
36 - "HTML analysis"
37 - "Sender analysis"
38 - "Content analysis"
39id: "a902702f-0e69-57dd-af81-08225218cffb"