← Back to Explore
sublimemediumRule
Suspicious attachment: Duplicate decoy PDF files
This rule identifies messages that contain duplicate PDF attachments, defined as either having identical filenames or matching MD5 hash values. Furthermore, the PDF files in question must lack any readable text and must not include hyperlinks.
Detection Query
type.inbound
and length(attachments) > 1
and all(attachments, .file_type == "pdf")
and (
length(distinct(attachments, .file_name)) == 1
or length(distinct(attachments, .md5)) == 1
)
and all(attachments,
.file_type == "pdf"
and all(file.explode(.),
(
length(.scan.url.urls) == 0
or length(.scan.pdf.urls) == 0
or length(body.links) == 0
)
and .scan.ocr.raw is null
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Suspicious attachment: Duplicate decoy PDF files"
description: "This rule identifies messages that contain duplicate PDF attachments, defined as either having identical filenames or matching MD5 hash values. Furthermore, the PDF files in question must lack any readable text and must not include hyperlinks."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(attachments) > 1
and all(attachments, .file_type == "pdf")
and (
length(distinct(attachments, .file_name)) == 1
or length(distinct(attachments, .md5)) == 1
)
and all(attachments,
.file_type == "pdf"
and all(file.explode(.),
(
length(.scan.url.urls) == 0
or length(.scan.pdf.urls) == 0
or length(body.links) == 0
)
and .scan.ocr.raw is null
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "PDF"
detection_methods:
- "File analysis"
- "Optical Character Recognition"
id: "79b9b2e7-295f-59d2-97fb-4f5fe13bc869"