Attachment: Fictitious invoice using LinkedIn's address

calendar Sep 3, 2025  ·
Share on: linkedin copy

Detects PDF attachments created with wkhtmltopdf or Qt that contain LinkedIn's headquarters address (1000 W Maude Ave) in financial communications context, but do not mention LinkedIn itself.

Sublime rule (View on GitHub)

 1name: "Attachment: Fictitious invoice using LinkedIn's address"
 2description: "Detects PDF attachments created with wkhtmltopdf or Qt that contain LinkedIn's headquarters address (1000 W Maude Ave) in financial communications context, but do not mention LinkedIn itself."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and 0 < length(filter(attachments, .file_type == "pdf")) < 3
 8  and any(filter(attachments,
 9                 .file_type == "pdf"
10                 // creator and producer of PDF seen in malicious content
11                 and (
12                   strings.starts_with(beta.parse_exif(.).creator, "wkhtmltopdf")
13                   or strings.starts_with(beta.parse_exif(.).producer, "Qt ")
14                 )
15          ),
16          any(filter(file.explode(.), .scan.ocr.raw is not null),
17              // contains LinkedIn HQ address but not from LinkedIn
18              (
19                strings.icontains(.scan.ocr.raw, "1000 W Maude Ave")
20                and any(beta.ml_topic(body.current_thread.text).topics,
21                        .name == "Financial Communications"
22                        and .confidence != "low"
23                )
24                and not strings.icontains(.scan.ocr.raw, "linkedin")
25              ),
26          )
27  )  
28
29attack_types:
30  - "BEC/Fraud"
31tactics_and_techniques:
32  - "PDF"
33  - "Social engineering"
34detection_methods:
35  - "File analysis"
36  - "Optical Character Recognition"
37  - "Natural Language Understanding"
38  - "Content analysis"
39  - "Exif analysis"
40id: "aeee3d9f-4b34-5b56-9ac7-81dc3d344489"
to-top