EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Attachment: Fictitious invoice using LinkedIn's address

Detects PDF attachments created with wkhtmltopdf or Qt that contain LinkedIn's headquarters address (1000 W Maude Ave) in financial communications context, but do not mention LinkedIn itself.

MITRE ATT&CK

T1566.002T1534T1656T1566T1598
initial-access

Detection Query

type.inbound
and 0 < length(filter(attachments, .file_type == "pdf")) < 3
and any(filter(attachments,
               .file_type == "pdf"
               // creator and producer of PDF seen in malicious content
               and (
                 strings.starts_with(beta.parse_exif(.).creator, "wkhtmltopdf")
                 or strings.starts_with(beta.parse_exif(.).producer, "Qt ")
               )
        ),
        any(filter(file.explode(.), .scan.ocr.raw is not null),
            // contains LinkedIn HQ address but not from LinkedIn
            (
              strings.icontains(.scan.ocr.raw, "1000 W Maude Ave")
              and any(beta.ml_topic(body.current_thread.text).topics,
                      .name == "Financial Communications"
                      and .confidence != "low"
              )
              and not strings.icontains(.scan.ocr.raw, "linkedin")
            ),
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: Fictitious invoice using LinkedIn's address"
description: "Detects PDF attachments created with wkhtmltopdf or Qt that contain LinkedIn's headquarters address (1000 W Maude Ave) in financial communications context, but do not mention LinkedIn itself."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and 0 < length(filter(attachments, .file_type == "pdf")) < 3
  and any(filter(attachments,
                 .file_type == "pdf"
                 // creator and producer of PDF seen in malicious content
                 and (
                   strings.starts_with(beta.parse_exif(.).creator, "wkhtmltopdf")
                   or strings.starts_with(beta.parse_exif(.).producer, "Qt ")
                 )
          ),
          any(filter(file.explode(.), .scan.ocr.raw is not null),
              // contains LinkedIn HQ address but not from LinkedIn
              (
                strings.icontains(.scan.ocr.raw, "1000 W Maude Ave")
                and any(beta.ml_topic(body.current_thread.text).topics,
                        .name == "Financial Communications"
                        and .confidence != "low"
                )
                and not strings.icontains(.scan.ocr.raw, "linkedin")
              ),
          )
  )

attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "PDF"
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "Optical Character Recognition"
  - "Natural Language Understanding"
  - "Content analysis"
  - "Exif analysis"
id: "aeee3d9f-4b34-5b56-9ac7-81dc3d344489"