Link: Breely link masquerading as PDF

calendar Jan 16, 2026  ยท
Share on: linkedin copy

Detects messages containing a single Breely link that displays as a PDF file. Typically, redirects to a different destination for malicious purposes.

Sublime rule (View on GitHub)

 1name: "Link: Breely link masquerading as PDF"
 2description: "Detects messages containing a single Breely link that displays as a PDF file. Typically, redirects to a different destination for malicious purposes."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(filter(body.links, .href_url.domain.root_domain == "breely.com")) == 1
 8  and any(body.links,
 9          .href_url.domain.root_domain == "breely.com"
10          and strings.icontains(.display_text, ".pdf")
11  )  
12
13attack_types:
14  - "BEC/Fraud"
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Free subdomain host"
18  - "Social engineering"
19detection_methods:
20  - "Content analysis"
21  - "URL analysis"
22id: "4a498c21-2f8a-5b54-84f5-c3c4ad3ee8e9"
to-top