← Back to Explore
sublimemediumRule
Attachment: PDF with self-service platform links with self sender or blank recipients
Detects single-page PDF attachments containing links to self-service content creation platforms, sent to either the sender's own email address or an invalid email domain. This pattern may indicate testing of malicious content or preparation for distribution.
Detection Query
type.inbound
and sum([length(recipients.to), length(recipients.cc)]) == 1
and (
sender.email.email == recipients.to[0].email.email
or recipients.to[0].email.domain.valid == false
)
and length(attachments) == 1
and beta.parse_exif(attachments[0]).page_count == 1
and any(filter(attachments, .file_type == "pdf"),
any(filter(file.explode(.), .depth == 0),
1 <= length(filter(.scan.url.urls,
// remove mailto: links
not strings.istarts_with(.url, 'mailto:')
and not strings.istarts_with(.url, 'email:')
// remove links found in exiftool output producer/creator
and not any([
..scan.exiftool.producer,
..scan.exiftool.creator
],
. is not null
and strings.icontains(.,
..domain.domain
)
)
and not .domain.root_domain in ('pdf-tools.com')
and not .url in (
'https://gamma.app/?utm_source=made-with-gamma'
)
)
) <= 3
and all(.scan.url.urls,
.domain.root_domain in $self_service_creation_platform_domains
or .domain.domain in $self_service_creation_platform_domains
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Attachment: PDF with self-service platform links with self sender or blank recipients"
description: "Detects single-page PDF attachments containing links to self-service content creation platforms, sent to either the sender's own email address or an invalid email domain. This pattern may indicate testing of malicious content or preparation for distribution."
type: "rule"
severity: "medium"
source: |
type.inbound
and sum([length(recipients.to), length(recipients.cc)]) == 1
and (
sender.email.email == recipients.to[0].email.email
or recipients.to[0].email.domain.valid == false
)
and length(attachments) == 1
and beta.parse_exif(attachments[0]).page_count == 1
and any(filter(attachments, .file_type == "pdf"),
any(filter(file.explode(.), .depth == 0),
1 <= length(filter(.scan.url.urls,
// remove mailto: links
not strings.istarts_with(.url, 'mailto:')
and not strings.istarts_with(.url, 'email:')
// remove links found in exiftool output producer/creator
and not any([
..scan.exiftool.producer,
..scan.exiftool.creator
],
. is not null
and strings.icontains(.,
..domain.domain
)
)
and not .domain.root_domain in ('pdf-tools.com')
and not .url in (
'https://gamma.app/?utm_source=made-with-gamma'
)
)
) <= 3
and all(.scan.url.urls,
.domain.root_domain in $self_service_creation_platform_domains
or .domain.domain in $self_service_creation_platform_domains
)
)
)
tags:
- "Attack surface reduction"
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "PDF"
- "Evasion"
- "Free file host"
detection_methods:
- "File analysis"
- "Exif analysis"
- "URL analysis"
- "Sender analysis"
id: "9b97f4cf-ab96-5f92-a1ca-90967b94bcb1"