← Back to Explore
sublimemediumRule
Attachment: PDF file with recipient domain and ATT eCheckRun pattern
Detects PDF attachments with filenames containing the recipient's domain, potentially indicating targeted financial document spoofing.
Detection Query
type.inbound
and any(filter(attachments, .file_type == "pdf"),
strings.icontains(.file_name, recipients.to[0].email.domain.sld)
and strings.starts_with(.file_name, "ATT")
and strings.icontains(.file_name, "eCheckRun")
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: PDF file with recipient domain and ATT eCheckRun pattern"
description: "Detects PDF attachments with filenames containing the recipient's domain, potentially indicating targeted financial document spoofing."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(filter(attachments, .file_type == "pdf"),
strings.icontains(.file_name, recipients.to[0].email.domain.sld)
and strings.starts_with(.file_name, "ATT")
and strings.icontains(.file_name, "eCheckRun")
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "PDF"
- "Social engineering"
detection_methods:
- "File analysis"
- "Content analysis"
id: "bae6e288-85c0-59b8-9fc7-ce9001dad3d2"