EXPLORE
← Back to Explore
sublimemediumRule

Attachment: PDF with localhost IP in EXIF title metadata

Detects inbound PDF attachments where the EXIF title metadata starts with '127.0.0.1', sent either to a self-addressed recipient or an invalid recipient domain. This technique may indicate automated or malicious document generation tools embedding localhost references in file metadata.

Detection Query

type.inbound
// self sender or invaild recipent domain
and length(recipients.to) == 1
and (
  sender.email.email == recipients.to[0].email.email
  or recipients.to[0].email.domain.valid == false
)
and any(filter(attachments, .file_type == "pdf"),
        strings.starts_with(beta.parse_exif(.).title, "127.0.0.1")
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: PDF with localhost IP in EXIF title metadata"
description: "Detects inbound PDF attachments where the EXIF title metadata starts with '127.0.0.1', sent either to a self-addressed recipient or an invalid recipient domain. This technique may indicate automated or malicious document generation tools embedding localhost references in file metadata."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // self sender or invaild recipent domain
  and length(recipients.to) == 1
  and (
    sender.email.email == recipients.to[0].email.email
    or recipients.to[0].email.domain.valid == false
  )
  and any(filter(attachments, .file_type == "pdf"),
          strings.starts_with(beta.parse_exif(.).title, "127.0.0.1")
  )
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "PDF"
  - "Evasion"
detection_methods:
  - "Exif analysis"
  - "File analysis"
  - "Sender analysis"
id: "2649b4b9-5228-5b26-af5c-5b4e3b4a9926"