sublimemediumRule

Attachment: PDF with password in filename matching body text

Detects messages containing a single PDF attachment where the filename includes a numeric password that is explicitly referenced in the message body text.

MITRE ATT&CK

T1566.001 T1204.002 T1486 T1566 T1566.002 T1598 T1027 T1573 T1036

defense-evasion

Detection Query

type.inbound
and length(filter(attachments, .file_type == "pdf")) == 1
and any(regex.extract(body.current_thread.text, 'password is (?P<pw>[0-9]{1,})'),
        any(filter(attachments, .file_type == "pdf"),
            strings.contains(.file_name, ..named_groups["pw"])
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: PDF with password in filename matching body text"
description: "Detects messages containing a single PDF attachment where the filename includes a numeric password that is explicitly referenced in the message body text."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(filter(attachments, .file_type == "pdf")) == 1
  and any(regex.extract(body.current_thread.text, 'password is (?P<pw>[0-9]{1,})'),
          any(filter(attachments, .file_type == "pdf"),
              strings.contains(.file_name, ..named_groups["pw"])
          )
  )
attack_types:
  - "Malware/Ransomware"
  - "Credential Phishing"
tactics_and_techniques:
  - "Encryption"
  - "Evasion"
  - "PDF"
detection_methods:
  - "Content analysis"
  - "File analysis"
id: "2c9c3b24-62de-539a-a217-219021f1014b"