← Back to Explore
sublimelowRule
Attachment: PDF file with link to fake Bitcoin exchange
Fraudulent message containing a PDF notification of unclaimed Bitcoin assets. The PDF file contains a link to a fake Cryptocurrency portal. Attempting to withdraw funds prompts the user to enter payment information.
Detection Query
type.inbound
and sender.email.domain.root_domain in $free_email_providers
and length(attachments) == 1
and all(attachments,
.file_extension == "pdf"
and regex.icontains(.file_name, '(\d\.\d{3,4}.{0,12}BTC|bitcoin)')
and any(file.explode(.),
.scan.exiftool.page_count >= 5
and .depth == 0
and length(filter(.scan.strings.strings,
regex.match(., '^\/URI \(http.*')
)
) == 1
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Cryptocurrency
Raw Content
name: "Attachment: PDF file with link to fake Bitcoin exchange"
description: |
Fraudulent message containing a PDF notification of unclaimed Bitcoin assets.
The PDF file contains a link to a fake Cryptocurrency portal. Attempting to withdraw
funds prompts the user to enter payment information.
references:
- "https://app.any.run/tasks/93d72f24-c021-48ad-a8eb-9b30c8660938"
type: "rule"
severity: "low"
source: |
type.inbound
and sender.email.domain.root_domain in $free_email_providers
and length(attachments) == 1
and all(attachments,
.file_extension == "pdf"
and regex.icontains(.file_name, '(\d\.\d{3,4}.{0,12}BTC|bitcoin)')
and any(file.explode(.),
.scan.exiftool.page_count >= 5
and .depth == 0
and length(filter(.scan.strings.strings,
regex.match(., '^\/URI \(http.*')
)
) == 1
)
)
tags:
- "Cryptocurrency"
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Free email provider"
- "Impersonation: Brand"
- "PDF"
- "Social engineering"
detection_methods:
- "Exif analysis"
- "File analysis"
- "Sender analysis"
- "URL analysis"
id: "47601cb7-5278-58b1-b503-0456c235a18d"