← Back to Explore
sublimehighRule
Adobe branded PDF file linking to a password-protected file from untrusted sender
Detects pdf files with links to a remotely hosted password-protected file. This is a common technique abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)
Detection Query
type.inbound
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
and strings.icontains(.scan.ocr.raw, "password-protected")
and any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name == "org" and .text == "Adobe"
)
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Adobe branded PDF file linking to a password-protected file from untrusted sender"
description: |
Detects pdf files with links to a remotely hosted password-protected file. This is a common technique
abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
and strings.icontains(.scan.ocr.raw, "password-protected")
and any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name == "org" and .text == "Adobe"
)
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Encryption"
- "Evasion"
- "Impersonation: Brand"
- "PDF"
detection_methods:
- "Archive analysis"
- "File analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
- "Sender analysis"
id: "5ea75469-58e8-561e-9a19-24da14a946b7"