Self-sent fake PDF attachment with misleading link

calendar Dec 16, 2025  ·
Share on: linkedin copy

Detects messages sent from a user to themselves containing a fake PDF icon from Google's CDN, claiming to have an attachment while only containing images, and including links that appear to be PDF files.

Sublime rule (View on GitHub)

 1name: "Self-sent fake PDF attachment with misleading link"
 2description: "Detects messages sent from a user to themselves containing a fake PDF icon from Google's CDN, claiming to have an attachment while only containing images, and including links that appear to be PDF files."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // pdf image
 8  and strings.contains(body.html.raw,
 9                       'https://ci3.googleusercontent.com/meips/ADKq_Naq6rm1GwC4XYZepCUQtEMnJ-r-HjyX_C5lBU7lpxQk1OIDV7vvQYvSJQWYmQCzG8moTgX3Wak625OtyHWRinVeUJs7K710JiIZ4JNXVpTmC8PJjV4K34GsBA=s0-d-e1-ft#https://res-1.cdn.office.net/assets/mail/file-icon/png/pdf_16x16.png'
10  )
11  // mentions attachments but there are none or just images with no pdfs
12  and strings.starts_with(body.current_thread.text, 'Please see attached.')
13  and all(attachments, .file_type in $file_types_images)
14  //self sender
15  and (
16    length(recipients.to) == 1
17    and sender.email.email == recipients.to[0].email.email
18  )
19  // display text ends with .pdf
20  and any(body.current_thread.links,
21        strings.ends_with(.display_text, '.pdf')
22        and .href_url.domain.subdomain is not null
23        and .visible
24        and not (
25          .href_url.domain.root_domain == "googleusercontent.com"
26          and strings.istarts_with(.href_url.path, "/mail-sig")
27        )
28  )  
29
30attack_types:
31  - "Credential Phishing"
32tactics_and_techniques:
33  - "Evasion"
34  - "Free subdomain host"
35  - "Social engineering"
36detection_methods:
37  - "Content analysis"
38  - "URL analysis"
39  - "Sender analysis"
40id: "8a285d2e-3e40-5dfa-b269-947011663a5a"
to-top