EXPLORE
← Back to Explore
sublimemediumRule

Attachment: Encrypted PDF With Credential Harvesting Indicators

Detects encrypted PDF attachments containing patterns and indicators commonly associated with credential harvesting operations, identified through YARA signature analysis.

Detection Query

type.inbound
and any(filter(attachments, .file_type == "pdf"),
        any(file.explode(.),
            any(.scan.yara.matches, .name in ("pdf_encrypted_cred_phish_001"))
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: Encrypted PDF With Credential Harvesting Indicators"
description: "Detects encrypted PDF attachments containing patterns and indicators commonly associated with credential harvesting operations, identified through YARA signature analysis."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(filter(attachments, .file_type == "pdf"),
          any(file.explode(.),
              any(.scan.yara.matches, .name in ("pdf_encrypted_cred_phish_001"))
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Encryption"
  - "Evasion"
  - "PDF"
detection_methods:
  - "File analysis"
  - "YARA"
id: "2122a286-4b6c-5f40-a2cd-2ed02c68baca"