← Back to Explore
sublimemediumRule
Attachment: Encrypted PDF With Credential Harvesting Indicators
Detects encrypted PDF attachments containing patterns and indicators commonly associated with credential harvesting operations, identified through YARA signature analysis.
Detection Query
type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.yara.matches, .name in ("pdf_encrypted_cred_phish_001"))
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Encrypted PDF With Credential Harvesting Indicators"
description: "Detects encrypted PDF attachments containing patterns and indicators commonly associated with credential harvesting operations, identified through YARA signature analysis."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.yara.matches, .name in ("pdf_encrypted_cred_phish_001"))
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Encryption"
- "Evasion"
- "PDF"
detection_methods:
- "File analysis"
- "YARA"
id: "2122a286-4b6c-5f40-a2cd-2ed02c68baca"