Link: PDF filename impersonation with credential theft language

calendar Feb 12, 2026  ·
Share on: linkedin copy

Detects messages where the link display text mimics a PDF filename containing the sender's domain name, combined with credential theft language or suspicious requests. The message is sent to an invalid recipient address or to the sender themselves, indicating potential abuse of email infrastructure.

Sublime rule (View on GitHub)

 1name: "Link: PDF filename impersonation with credential theft language"
 2description: "Detects messages where the link display text mimics a PDF filename containing the sender's domain name, combined with credential theft language or suspicious requests. The message is sent to an invalid recipient address or to the sender themselves, indicating potential abuse of email infrastructure."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // does not actually contain a PDF attachment
 8  and not any(attachments, .file_extension == "pdf")
 9  and (
10    // extract the first body link and compare to the sender's sld, look for less than 4 levenshtein distances or the exact match on the sld in URL ending in .pdf 
11    any(regex.iextract(body.current_thread.links[0].display_text,
12                       '(?P<starter>.*)\b\d+\.pdf$'
13        ),
14        strings.ilevenshtein(.named_groups["starter"], sender.email.domain.sld) <= 4
15    )
16    or (
17      strings.istarts_with(body.current_thread.links[0].display_text,
18                           sender.email.domain.sld
19      )
20      and regex.icontains(body.current_thread.links[0].display_text,
21                          '\b\d+\.pdf$'
22      )
23    )
24  )
25  // cred theft intent or other request language 
26  and (
27    any(ml.nlu_classifier(body.current_thread.text).intents,
28        .name == "cred_theft" and .confidence != "low"
29    )
30    or any(filter(ml.nlu_classifier(body.current_thread.text).entities,
31                  .name == "request"
32           ),
33           regex.icontains(.text, 'please (?:see|find|click|(?:re)?view)')
34    )
35  )
36  // self sender pattern or sum of recipients is zero 
37  and (
38    length(recipients.to) <= 1
39    and (
40      sender.email.email == recipients.to[0].email.email
41      or recipients.to[0].email.domain.valid == false
42      or sum([
43               length(recipients.to),
44               length(recipients.cc),
45               length(recipients.bcc)
46             ]
47      ) == 0
48    )
49  )  
50
51attack_types:
52  - "Credential Phishing"
53tactics_and_techniques:
54  - "Social engineering"
55  - "Evasion"
56  - "PDF"
57detection_methods:
58  - "Content analysis"
59  - "Natural Language Understanding"
60  - "Header analysis"
61  - "Sender analysis"
62  - "URL analysis"
63id: "05931513-5d1c-5148-a3fa-471f1bb42220"
to-top