← Back to Explore
sublimemediumRule
Attachment: PDF with personal Microsoft OneNote URL
Detects PDF attachments containing a sharepoint URL referencing the senders personal OneNote.
Detection Query
type.inbound
and length(filter(attachments, .file_type == "pdf")) >= 1
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.url.urls,
strings.icontains(.path,
strings.concat("/:o:/p/",
sender.email.local_part
)
)
or strings.icontains(.path, "/:o:/g/personal/")
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: PDF with personal Microsoft OneNote URL"
description: "Detects PDF attachments containing a sharepoint URL referencing the senders personal OneNote."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(filter(attachments, .file_type == "pdf")) >= 1
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.url.urls,
strings.icontains(.path,
strings.concat("/:o:/p/",
sender.email.local_part
)
)
or strings.icontains(.path, "/:o:/g/personal/")
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "PDF"
- "Social engineering"
detection_methods:
- "File analysis"
- "Content analysis"
id: "0675bbc5-b322-5bd6-a4ea-61dc5346d603"