← Back to Explore
sublimehighRule
Attachment: Invoice and W-9 PDFs with suspicious creators
Detects messages containing two PDF attachments where one has invoice-related naming patterns and another contains W-9 tax form indicators, with at least one PDF generated by Chrome or wkhtmltopdf tools, commonly used in business email compromise attacks targeting financial processes.
Detection Query
type.inbound
and length(distinct(attachments, .sha1)) == 2
and length(filter(attachments, .file_type == "pdf")) == 2
// either of them are chrome/wkhtmltopdf
and any(filter(attachments, .file_type == "pdf"),
beta.parse_exif(.).creator == "Chromium"
or strings.icontains(beta.parse_exif(.).creator, "wkhtmltopdf")
or strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
)
and any(attachments,
strings.istarts_with(.file_name, 'lnv')
or strings.istarts_with(.file_name, 'inv-')
or strings.istarts_with(.file_name, "invoice_")
or regex.contains(.file_name, '^Invoice\s\d{8,9}')
or regex.contains(.file_name, '^INV[0-9]{7}')
or regex.contains(.file_name, '^INV#[0-9]{12}')
or strings.icontains(beta.ocr(.).text, "Executive Business Coaching")
or strings.icontains(beta.ocr(.).text, "Executive Coaching")
or strings.icontains(beta.ocr(.).text, "Professional Services")
or strings.icontains(beta.ocr(.).text, "Business Systems Integration")
or strings.icontains(beta.ocr(.).text, "Consulting & Advisory")
or strings.icontains(beta.ocr(.).text, "Zoomlnfo")
)
and any(attachments,
.file_name == ".pdf"
or regex.contains(beta.ocr(.).text, 'W[=-]9')
or regex.icontains(.file_name, 'w-?9')
)
and not (
sender.email.domain.root_domain in ('intuit.com')
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Invoice and W-9 PDFs with suspicious creators"
description: "Detects messages containing two PDF attachments where one has invoice-related naming patterns and another contains W-9 tax form indicators, with at least one PDF generated by Chrome or wkhtmltopdf tools, commonly used in business email compromise attacks targeting financial processes."
type: "rule"
severity: "high"
source: |
type.inbound
and length(distinct(attachments, .sha1)) == 2
and length(filter(attachments, .file_type == "pdf")) == 2
// either of them are chrome/wkhtmltopdf
and any(filter(attachments, .file_type == "pdf"),
beta.parse_exif(.).creator == "Chromium"
or strings.icontains(beta.parse_exif(.).creator, "wkhtmltopdf")
or strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
)
and any(attachments,
strings.istarts_with(.file_name, 'lnv')
or strings.istarts_with(.file_name, 'inv-')
or strings.istarts_with(.file_name, "invoice_")
or regex.contains(.file_name, '^Invoice\s\d{8,9}')
or regex.contains(.file_name, '^INV[0-9]{7}')
or regex.contains(.file_name, '^INV#[0-9]{12}')
or strings.icontains(beta.ocr(.).text, "Executive Business Coaching")
or strings.icontains(beta.ocr(.).text, "Executive Coaching")
or strings.icontains(beta.ocr(.).text, "Professional Services")
or strings.icontains(beta.ocr(.).text, "Business Systems Integration")
or strings.icontains(beta.ocr(.).text, "Consulting & Advisory")
or strings.icontains(beta.ocr(.).text, "Zoomlnfo")
)
and any(attachments,
.file_name == ".pdf"
or regex.contains(beta.ocr(.).text, 'W[=-]9')
or regex.icontains(.file_name, 'w-?9')
)
and not (
sender.email.domain.root_domain in ('intuit.com')
and coalesce(headers.auth_summary.dmarc.pass, false)
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "PDF"
- "Social engineering"
- "Impersonation: Brand"
detection_methods:
- "File analysis"
- "Optical Character Recognition"
- "Exif analysis"
- "Content analysis"
id: "305d6e32-4104-5007-a209-ee4686081de2"