Self-sent fake PDF attachment with misleading link
Detects messages sent from a user to themselves containing a fake PDF icon from Google's CDN, claiming to have an attachment while only containing images, and including links that appear to be PDF files.
Sublime rule (View on GitHub)
1name: "Self-sent fake PDF attachment with misleading link"
2description: "Detects messages sent from a user to themselves containing a fake PDF icon from Google's CDN, claiming to have an attachment while only containing images, and including links that appear to be PDF files."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 // pdf image
8 and strings.contains(body.html.raw,
9 'https://ci3.googleusercontent.com/meips/ADKq_Naq6rm1GwC4XYZepCUQtEMnJ-r-HjyX_C5lBU7lpxQk1OIDV7vvQYvSJQWYmQCzG8moTgX3Wak625OtyHWRinVeUJs7K710JiIZ4JNXVpTmC8PJjV4K34GsBA=s0-d-e1-ft#https://res-1.cdn.office.net/assets/mail/file-icon/png/pdf_16x16.png'
10 )
11 // mentions attachments but there are none or just images with no pdfs
12 and strings.starts_with(body.current_thread.text, 'Please see attached.')
13 and all(attachments, .file_type in $file_types_images)
14 // self sender
15 and (
16 length(recipients.to) == 1
17 and sender.email.email == recipients.to[0].email.email
18 )
19 // display text ends with .pdf
20 and any(body.current_thread.links,
21 strings.ends_with(.display_text, '.pdf')
22 and .href_url.domain.subdomain is not null
23 and .visible
24 and not (
25 .href_url.domain.root_domain == "googleusercontent.com"
26 and strings.istarts_with(.href_url.path, "/mail-sig")
27 )
28 )
29attack_types:
30 - "Credential Phishing"
31tactics_and_techniques:
32 - "Evasion"
33 - "Free subdomain host"
34 - "Social engineering"
35detection_methods:
36 - "Content analysis"
37 - "URL analysis"
38 - "Sender analysis"
39id: "8a285d2e-3e40-5dfa-b269-947011663a5a"