← Back to Explore
sublimehighRule
Attachment: Self-sender PDF with minimal content and view prompt
Detects messages where the sender and recipient are the same address with a PDF attachment containing only 'VIEW PDF' text and a standardized body message requesting to view the attachment.
Detection Query
type.inbound
// self sender
and length(recipients.to) == 1
and (
sender.email.email == recipients.to[0].email.email
or recipients.to[0].email.domain.valid == false
)
and strings.starts_with(body.current_thread.text, 'Please see attached')
and any(filter(attachments, .file_type == 'pdf'),
any(file.explode(.),
.scan.strings.strings[0] == 'VIEW PDF'
and length(.scan.strings.strings) == 1
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Self-sender PDF with minimal content and view prompt"
description: "Detects messages where the sender and recipient are the same address with a PDF attachment containing only 'VIEW PDF' text and a standardized body message requesting to view the attachment."
type: "rule"
severity: "high"
source: |
type.inbound
// self sender
and length(recipients.to) == 1
and (
sender.email.email == recipients.to[0].email.email
or recipients.to[0].email.domain.valid == false
)
and strings.starts_with(body.current_thread.text, 'Please see attached')
and any(filter(attachments, .file_type == 'pdf'),
any(file.explode(.),
.scan.strings.strings[0] == 'VIEW PDF'
and length(.scan.strings.strings) == 1
)
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "PDF"
- "Social engineering"
- "Evasion"
detection_methods:
- "Content analysis"
- "File analysis"
- "Sender analysis"
id: "07670a8c-4e64-5807-8c9e-97171c076884"