EXPLORE
← Back to Explore
sublimemediumRule

Attachment: PDF with self-service platform links with self sender or blank recipients

Detects single-page PDF attachments containing links to self-service content creation platforms, sent to either the sender's own email address or an invalid email domain. This pattern may indicate testing of malicious content or preparation for distribution.

Detection Query

type.inbound
and sum([length(recipients.to), length(recipients.cc)]) == 1
and (
  sender.email.email == recipients.to[0].email.email
  or recipients.to[0].email.domain.valid == false
)
and length(attachments) == 1
and beta.parse_exif(attachments[0]).page_count == 1
and any(filter(attachments, .file_type == "pdf"),
        any(filter(file.explode(.), .depth == 0),
            1 <= length(filter(.scan.url.urls,
                               // remove mailto: links
                               not strings.istarts_with(.url, 'mailto:')
                               and not strings.istarts_with(.url, 'email:')
                               // remove links found in exiftool output producer/creator
                               and not any([
                                             ..scan.exiftool.producer,
                                             ..scan.exiftool.creator
                                           ],
                                           . is not null
                                           and strings.icontains(.,
                                                                 ..domain.domain
                                           )
                               )
                               and not .domain.root_domain in ('pdf-tools.com')
                               and not .url in (
                                 'https://gamma.app/?utm_source=made-with-gamma'
                               )
                        )
            ) <= 3
            and all(.scan.url.urls,
                    .domain.root_domain in $self_service_creation_platform_domains
                    or .domain.domain in $self_service_creation_platform_domains
            )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Attachment: PDF with self-service platform links with self sender or blank recipients"
description: "Detects single-page PDF attachments containing links to self-service content creation platforms, sent to either the sender's own email address or an invalid email domain. This pattern may indicate testing of malicious content or preparation for distribution."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sum([length(recipients.to), length(recipients.cc)]) == 1
  and (
    sender.email.email == recipients.to[0].email.email
    or recipients.to[0].email.domain.valid == false
  )
  and length(attachments) == 1
  and beta.parse_exif(attachments[0]).page_count == 1
  and any(filter(attachments, .file_type == "pdf"),
          any(filter(file.explode(.), .depth == 0),
              1 <= length(filter(.scan.url.urls,
                                 // remove mailto: links
                                 not strings.istarts_with(.url, 'mailto:')
                                 and not strings.istarts_with(.url, 'email:')
                                 // remove links found in exiftool output producer/creator
                                 and not any([
                                               ..scan.exiftool.producer,
                                               ..scan.exiftool.creator
                                             ],
                                             . is not null
                                             and strings.icontains(.,
                                                                   ..domain.domain
                                             )
                                 )
                                 and not .domain.root_domain in ('pdf-tools.com')
                                 and not .url in (
                                   'https://gamma.app/?utm_source=made-with-gamma'
                                 )
                          )
              ) <= 3
              and all(.scan.url.urls,
                      .domain.root_domain in $self_service_creation_platform_domains
                      or .domain.domain in $self_service_creation_platform_domains
              )
          )
  )
tags:
  - "Attack surface reduction"
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "PDF"
  - "Evasion"
  - "Free file host"
detection_methods:
  - "File analysis"
  - "Exif analysis"
  - "URL analysis"
  - "Sender analysis"
id: "9b97f4cf-ab96-5f92-a1ca-90967b94bcb1"