Brand impersonation: Fake procurement/RFQ PDF from energy and industrial companies
Detects inbound PDF attachments impersonating well-known energy and industrial companies (Neste, TotalEnergies, Vattenfall, MOL Group, Unilever, Shell, Waldinger, Novo Nordisk) using fabricated procurement orders, requests for quotation, or supply chain solicitation documents. OCR is used to identify specific branding, addresses, and keywords embedded in these fraudulent PDF templates.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Fake procurement/RFQ PDF from energy and industrial companies"
2description: "Detects inbound PDF attachments impersonating well-known energy and industrial companies (Neste, TotalEnergies, Vattenfall, MOL Group, Unilever, Shell, Waldinger, Novo Nordisk) using fabricated procurement orders, requests for quotation, or supply chain solicitation documents. OCR is used to identify specific branding, addresses, and keywords embedded in these fraudulent PDF templates."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(filter(attachments, .file_extension == "pdf"),
8 //
9 // This rule makes use of a beta feature and is subject to change without notice
10 // using the beta feature in custom rules is not suggested until it has been formally released
11 //
12 (
13 strings.icontains(beta.ocr(.).text, "Neste Niederlande")
14 and strings.icontains(beta.ocr(.).text, "Antarcticaweg 185")
15 and strings.icontains(beta.ocr(.).text,
16 "NESTE PROCUREMENT ORDER",
17 "This is not a Purchase Order"
18 )
19 )
20 or (
21 strings.icontains(beta.ocr(.).text, "TotalEnergies Tower")
22 and strings.icontains(beta.ocr(.).text, "Louisiana")
23 and strings.icontains(beta.ocr(.).text, "SUPPLY CHAIN MANAGEMENT")
24 )
25 or (
26 strings.icontains(beta.ocr(.).text, "Vattenfall")
27 and strings.icontains(beta.ocr(.).text, "Hoekenrode 8")
28 and strings.icontains(beta.ocr(.).text, "SUPPLY CHAIN MANAGEMENT")
29 )
30 or (
31 strings.icontains(beta.ocr(.).text, "MOLGROUP", "MOL Ceská")
32 and strings.icontains(beta.ocr(.).text, "Purkynova 2121/3")
33 and strings.icontains(beta.ocr(.).text,
34 "REQUEST FOR PROPOSAL",
35 "This is not a Purchase Order"
36 )
37 )
38 or (
39 strings.icontains(beta.ocr(.).text,
40 "219 NORTH ROCKS ROAD",
41 "100 Victoria Embankment",
42 "WEENA 455"
43 )
44 and strings.icontains(beta.ocr(.).text,
45 "SUPPLY CHAIN MANAGEMENT",
46 "COMPULSORY BIDDERS MUST QUOTE",
47 "INVITATION TO TENDER",
48 "UNILEVER SUPPLY CHAIN RFQ"
49 )
50 )
51 or (
52 strings.icontains(beta.ocr(.).text, "Shell USA")
53 and strings.icontains(beta.ocr(.).text, "150 N Dairy Ashford Road")
54 and strings.icontains(beta.ocr(.).text,
55 "Public Tender Documentation",
56 "This is not a Purchase Order"
57 )
58 )
59 or (
60 strings.icontains(beta.ocr(.).text, "Waldinger Corporation")
61 and strings.icontains(beta.ocr(.).text, "6200 Scout Trail")
62 and strings.icontains(beta.ocr(.).text,
63 "REQUEST FOR QUOTATION",
64 "This is not a Purchase Order"
65 )
66 )
67 or (
68 strings.icontains(beta.ocr(.).text,
69 "NOVO NORDISK",
70 "nordisksourcingeu.com"
71 )
72 and strings.icontains(beta.ocr(.).text, "CARRE MICHELET")
73 and strings.icontains(beta.ocr(.).text,
74 "COMPULSORY BIDDERS MUST QUOTE",
75 "This is not a Purchase Order"
76 )
77 )
78 )
79attack_types:
80 - "BEC/Fraud"
81tactics_and_techniques:
82 - "Impersonation: Brand"
83 - "PDF"
84 - "Social engineering"
85 - "Image as content"
86detection_methods:
87 - "Optical Character Recognition"
88 - "File analysis"
89 - "Content analysis"
90id: "43a13744-b519-5938-ba54-a0544ef6ea94"