← Back to Explore
sublimemediumRule
Link: PDF filename impersonation with credential theft language
Detects messages where the link display text mimics a PDF filename containing the sender's domain name, combined with credential theft language or suspicious requests. The message is sent to an invalid recipient address or to the sender themselves, indicating potential abuse of email infrastructure.
Detection Query
type.inbound
// does not actually contain a PDF attachment
and not any(attachments, .file_extension == "pdf")
and (
// extract the first body link and compare to the sender's sld, look for less than 4 levenshtein distances or the exact match on the sld in URL ending in .pdf
any(regex.iextract(body.current_thread.links[0].display_text,
'(?P<starter>.*)\b\d+\.pdf$'
),
strings.ilevenshtein(.named_groups["starter"], sender.email.domain.sld) <= 4
)
or (
strings.istarts_with(body.current_thread.links[0].display_text,
sender.email.domain.sld
)
and regex.icontains(body.current_thread.links[0].display_text,
'\b\d+\.pdf$'
)
)
)
// cred theft intent or other request language
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
or any(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
),
regex.icontains(.text, 'please (?:see|find|click|(?:re)?view)')
)
)
// self sender pattern or sum of recipients is zero
and (
length(recipients.to) <= 1
and (
sender.email.email == recipients.to[0].email.email
or recipients.to[0].email.domain.valid == false
or sum([
length(recipients.to),
length(recipients.cc),
length(recipients.bcc)
]
) == 0
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: PDF filename impersonation with credential theft language"
description: "Detects messages where the link display text mimics a PDF filename containing the sender's domain name, combined with credential theft language or suspicious requests. The message is sent to an invalid recipient address or to the sender themselves, indicating potential abuse of email infrastructure."
type: "rule"
severity: "medium"
source: |
type.inbound
// does not actually contain a PDF attachment
and not any(attachments, .file_extension == "pdf")
and (
// extract the first body link and compare to the sender's sld, look for less than 4 levenshtein distances or the exact match on the sld in URL ending in .pdf
any(regex.iextract(body.current_thread.links[0].display_text,
'(?P<starter>.*)\b\d+\.pdf$'
),
strings.ilevenshtein(.named_groups["starter"], sender.email.domain.sld) <= 4
)
or (
strings.istarts_with(body.current_thread.links[0].display_text,
sender.email.domain.sld
)
and regex.icontains(body.current_thread.links[0].display_text,
'\b\d+\.pdf$'
)
)
)
// cred theft intent or other request language
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
or any(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
),
regex.icontains(.text, 'please (?:see|find|click|(?:re)?view)')
)
)
// self sender pattern or sum of recipients is zero
and (
length(recipients.to) <= 1
and (
sender.email.email == recipients.to[0].email.email
or recipients.to[0].email.domain.valid == false
or sum([
length(recipients.to),
length(recipients.cc),
length(recipients.bcc)
]
) == 0
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
- "Evasion"
- "PDF"
detection_methods:
- "Content analysis"
- "Natural Language Understanding"
- "Header analysis"
- "Sender analysis"
- "URL analysis"
id: "05931513-5d1c-5148-a3fa-471f1bb42220"