Self-sent fake PDF attachment with misleading link

calendar Dec 12, 2025  ·
Share on: linkedin copy

Detects messages sent from a user to themselves containing a fake PDF icon from Google's CDN, claiming to have an attachment while only containing images, and including links to suspicious subdomains that appear to be PDF files.

Sublime rule (View on GitHub)

 1name: "Self-sent fake PDF attachment with misleading link"
 2description: "Detects messages sent from a user to themselves containing a fake PDF icon from Google's CDN, claiming to have an attachment while only containing images, and including links to suspicious subdomains that appear to be PDF files."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // pdf image
 8  and strings.contains(body.html.raw,
 9                       'https://ci3.googleusercontent.com/meips/ADKq_Naq6rm1GwC4XYZepCUQtEMnJ-r-HjyX_C5lBU7lpxQk1OIDV7vvQYvSJQWYmQCzG8moTgX3Wak625OtyHWRinVeUJs7K710JiIZ4JNXVpTmC8PJjV4K34GsBA=s0-d-e1-ft#https://res-1.cdn.office.net/assets/mail/file-icon/png/pdf_16x16.png'
10  )
11  // mentions attachments but there are none or just images with no pdfs
12  and strings.starts_with(body.current_thread.text, 'Please see attached.')
13  and all(attachments, .file_type in $file_types_images)
14  //self sender
15  and (
16    length(recipients.to) == 1
17    and sender.email.email == recipients.to[0].email.email
18  )
19  // display text ends with .pdf and link is a free subdomain host
20  and any(body.current_thread.links,
21        strings.ends_with(.display_text, '.pdf')
22        and .href_url.domain.subdomain is not null
23        and .visible
24        and not (
25          .href_url.domain.root_domain == "googleusercontent.com"
26          and strings.istarts_with(.href_url.path, "/mail-sig")
27        )
28        and (
29          .href_url.domain.root_domain in $free_subdomain_hosts
30          or ml.link_analysis(.href_url).effective_url.domain.root_domain in $free_subdomain_hosts
31          // Mimecast link logic
32          or (
33            .href_url.domain.root_domain in (
34              "mimecastprotect.com",
35              "mimecast.com"
36            )
37            and any(.href_url.query_params_decoded['domain'],
38                    strings.parse_domain(.).root_domain in $free_subdomain_hosts
39            )
40          )
41        )
42  )  
43
44attack_types:
45  - "Credential Phishing"
46tactics_and_techniques:
47  - "Evasion"
48  - "Free subdomain host"
49  - "Social engineering"
50detection_methods:
51  - "Content analysis"
52  - "URL analysis"
53  - "Sender analysis"
54id: "8a285d2e-3e40-5dfa-b269-947011663a5a"
to-top