EXPLORE
← Back to Explore
sublimemediumRule

Attachment: PDF file with recipient domain and ATT eCheckRun pattern

Detects PDF attachments with filenames containing the recipient's domain, potentially indicating targeted financial document spoofing.

MITRE ATT&CK

initial-access

Detection Query

type.inbound
and any(filter(attachments, .file_type == "pdf"),
        strings.icontains(.file_name, recipients.to[0].email.domain.sld)
        and strings.starts_with(.file_name, "ATT")
        and strings.icontains(.file_name, "eCheckRun")
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: PDF file with recipient domain and ATT eCheckRun pattern"
description: "Detects PDF attachments with filenames containing the recipient's domain, potentially indicating targeted financial document spoofing."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(filter(attachments, .file_type == "pdf"),
          strings.icontains(.file_name, recipients.to[0].email.domain.sld)
          and strings.starts_with(.file_name, "ATT")
          and strings.icontains(.file_name, "eCheckRun")
  )

attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "PDF"
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "Content analysis"
id: "bae6e288-85c0-59b8-9fc7-ce9001dad3d2"