← Back to Explore
sublimemediumRule
Attachment: PDF contains W9 or invoice YARA signatures
PDF attachment contains YARA signatures commonly associated with fraudulent W9 tax forms or invoice documents, which are frequently used in social engineering attacks to steal sensitive information or facilitate business email compromise.
Detection Query
type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.yara.matches,
.name in ("w9_pdf_01", "invoice_pdf_01", "w9_pdf_IDs")
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: PDF contains W9 or invoice YARA signatures"
description: "PDF attachment contains YARA signatures commonly associated with fraudulent W9 tax forms or invoice documents, which are frequently used in social engineering attacks to steal sensitive information or facilitate business email compromise."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.yara.matches,
.name in ("w9_pdf_01", "invoice_pdf_01", "w9_pdf_IDs")
)
)
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "PDF"
- "Social engineering"
detection_methods:
- "File analysis"
- "YARA"
id: "9a8e8a98-34a6-5cdc-b151-d4eff3322f23"