EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)

Detects messages with credential theft PDFs linking to free subdomains.

MITRE ATT&CK

T1566T1566.001T1566.002T1598
initial-access

Detection Query

type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence in ("medium", "high")
)
and any(attachments,
        .file_extension == "pdf"
        and any(file.explode(.),
                any(.scan.pdf.urls,
                    .domain.root_domain in $free_subdomain_hosts
                    and .domain.subdomain is not null
                    and .domain.subdomain != "www"
                )
                and any(ml.nlu_classifier(.scan.ocr.raw).intents,
                        .name == "cred_theft"
                        and .confidence in ("medium", "high")
                )
        )
)
// unsolicited
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)"
description: |
  Detects messages with credential theft PDFs linking to free subdomains.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "cred_theft" and .confidence in ("medium", "high")
  )
  and any(attachments,
          .file_extension == "pdf"
          and any(file.explode(.),
                  any(.scan.pdf.urls,
                      .domain.root_domain in $free_subdomain_hosts
                      and .domain.subdomain is not null
                      and .domain.subdomain != "www"
                  )
                  and any(ml.nlu_classifier(.scan.ocr.raw).intents,
                          .name == "cred_theft"
                          and .confidence in ("medium", "high")
                  )
          )
  )
  // unsolicited
  and (
    not profile.by_sender().solicited
    or profile.by_sender().any_messages_malicious_or_spam
  )
  and not profile.by_sender().any_messages_benign
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free subdomain host"
  - "PDF"
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "Natural Language Understanding"
  - "Optical Character Recognition"
  - "Sender analysis"
  - "URL analysis"
id: "90f4ef4e-463f-5ea6-ae83-82ea07a30b70"