Link: PDF display text with fake copyright claim template

calendar Mar 18, 2026  ·
Share on: linkedin copy

Detects messages containing fake copyright claims with table rows with 25px height images and links where the display text references PDF content, potentially indicating malicious PDF delivery attempts through deceptive formatting.

Sublime rule (View on GitHub)

 1name: "Link: PDF display text with fake copyright claim template"
 2description: "Detects messages containing fake copyright claims with table rows with 25px height images and links where the display text references PDF content, potentially indicating malicious PDF delivery attempts through deceptive formatting."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(html.xpath(body.html, '//tr[td[1]/img[@height="25px"]]/td[2]//a]').nodes,
 8          strings.icontains(.display_text, "PDF")
 9  )  
10
11attack_types:
12  - "Credential Phishing"
13  - "Malware/Ransomware"
14tactics_and_techniques:
15  - "Evasion"
16  - "Image as content"
17  - "PDF"
18detection_methods:
19  - "Content analysis"
20  - "HTML analysis"
21id: "e67418db-f67f-5c8e-ad9f-fcee22596fa7"
to-top