Attachment: Fictitious invoice using LinkedIn's address
Detects PDF attachments created with wkhtmltopdf or Qt that contain LinkedIn's headquarters address (1000 W Maude Ave) in financial communications context, but do not mention LinkedIn itself.
Sublime rule (View on GitHub)
1name: "Attachment: Fictitious invoice using LinkedIn's address"
2description: "Detects PDF attachments created with wkhtmltopdf or Qt that contain LinkedIn's headquarters address (1000 W Maude Ave) in financial communications context, but do not mention LinkedIn itself."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and 0 < length(filter(attachments, .file_type == "pdf")) < 3
8 and any(filter(attachments,
9 .file_type == "pdf"
10 // creator and producer of PDF seen in malicious content
11 and (
12 strings.starts_with(beta.parse_exif(.).creator, "wkhtmltopdf")
13 or strings.starts_with(beta.parse_exif(.).producer, "Qt ")
14 )
15 ),
16 any(filter(file.explode(.), .scan.ocr.raw is not null),
17 // contains LinkedIn HQ address but not from LinkedIn
18 (
19 strings.icontains(.scan.ocr.raw, "1000 W Maude Ave")
20 and any(beta.ml_topic(body.current_thread.text).topics,
21 .name == "Financial Communications"
22 and .confidence != "low"
23 )
24 and not strings.icontains(.scan.ocr.raw, "linkedin")
25 ),
26 )
27 )
28
29attack_types:
30 - "BEC/Fraud"
31tactics_and_techniques:
32 - "PDF"
33 - "Social engineering"
34detection_methods:
35 - "File analysis"
36 - "Optical Character Recognition"
37 - "Natural Language Understanding"
38 - "Content analysis"
39 - "Exif analysis"
40id: "aeee3d9f-4b34-5b56-9ac7-81dc3d344489"