sublimemediumRule

Attachment: Finance themed PDF with observed phishing template

Detects PDF attachments containing a specific rectangular coordinate pattern at position [249.75 560 407.25 599.75], which may indicate a templated or malicious document structure.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027

defense-evasion

Detection Query

type.inbound
and any(filter(attachments, .file_type == "pdf"),
        any(file.explode(.),
            any(.scan.strings.strings,
                strings.contains(., "/Rect [ 249.75 560 407.25 599.75 ]")
            )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: Finance themed PDF with observed phishing template"
description: "Detects PDF attachments containing a specific rectangular coordinate pattern at position [249.75 560 407.25 599.75], which may indicate a templated or malicious document structure."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(filter(attachments, .file_type == "pdf"),
          any(file.explode(.),
              any(.scan.strings.strings,
                  strings.contains(., "/Rect [ 249.75 560 407.25 599.75 ]")
              )
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "PDF"
  - "Evasion"
detection_methods:
  - "File analysis"
  - "Content analysis"
id: "c936f7cc-6139-59d6-982d-26e9f523b143"