← Back to Explore
sublimemediumRule
Attachment: Encrypted PDF with credential theft body
Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.
Detection Query
type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.exiftool.fields, .key == "Encryption")
or (
.scan.entropy.entropy > 7
and any(.scan.strings.strings, strings.icontains(., "/Encrypt"))
)
)
// Encrypted PDFs do not have child nodes with any data
and all(filter(file.explode(.), .depth > 0), .size == 0)
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
or regex.icontains(body.current_thread.text,
'PDF\s*(?:Access|Preview|Unlock|Decrypt|passcode)',
'(Access|Preview|Unlock|Decrypt|Pass)\s*(?:word|code)\s*(?:\S+\s+){0,3}PDF\s*is?\s*:',
'This\s+(?:file|document|pdf)\s+is\s+(?:password[-\s]?)\s+protected\.\s*The\s+password\s+is\s*:?',
'(?:Access|Preview|Unlock|Decrypt)\s+(?:\S+\s+){0,3}PDF(?:\S+\s+){0,3}pass(?:word|code)'
)
or (
(
length(body.current_thread.text) <= 10
or (body.current_thread.text is null)
)
and any(body.previous_threads,
regex.icontains(.text,
'PDF\s*(?:Access|Preview|Unlock|Decrypt|passcode)',
'(Access|Preview|Unlock|Decrypt|Pass)\s*(?:word|code)\s*(?:\S+\s+){0,3}PDF\s*is?\s*:',
'This\s+(?:file|document|pdf)\s+is\s+(?:password[-\s]?)\s+protected\.\s*The\s+password\s+is\s*:?',
'(?:Access|Preview|Unlock|Decrypt)\s+(?:\S+\s+){0,3}PDF(?:\S+\s+){0,3}pass(?:word|code)'
)
)
)
)
// not forwards/replies
and not (
(length(headers.references) > 0 or headers.in_reply_to is not null)
and (subject.is_forward or subject.is_reply)
and length(body.previous_threads) >= 1
)
and (
(
profile.by_sender_email().prevalence in ("new", "outlier")
and not profile.by_sender_email().solicited
)
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
or (
length(recipients.to) == 0
or all(recipients.to,
strings.ilike(.display_name, "undisclosed?recipients")
)
)
or (
length(recipients.to) == 1
and any(recipients.to, .email.email == sender.email.email)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Encrypted PDF with credential theft body"
description: "Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.exiftool.fields, .key == "Encryption")
or (
.scan.entropy.entropy > 7
and any(.scan.strings.strings, strings.icontains(., "/Encrypt"))
)
)
// Encrypted PDFs do not have child nodes with any data
and all(filter(file.explode(.), .depth > 0), .size == 0)
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
or regex.icontains(body.current_thread.text,
'PDF\s*(?:Access|Preview|Unlock|Decrypt|passcode)',
'(Access|Preview|Unlock|Decrypt|Pass)\s*(?:word|code)\s*(?:\S+\s+){0,3}PDF\s*is?\s*:',
'This\s+(?:file|document|pdf)\s+is\s+(?:password[-\s]?)\s+protected\.\s*The\s+password\s+is\s*:?',
'(?:Access|Preview|Unlock|Decrypt)\s+(?:\S+\s+){0,3}PDF(?:\S+\s+){0,3}pass(?:word|code)'
)
or (
(
length(body.current_thread.text) <= 10
or (body.current_thread.text is null)
)
and any(body.previous_threads,
regex.icontains(.text,
'PDF\s*(?:Access|Preview|Unlock|Decrypt|passcode)',
'(Access|Preview|Unlock|Decrypt|Pass)\s*(?:word|code)\s*(?:\S+\s+){0,3}PDF\s*is?\s*:',
'This\s+(?:file|document|pdf)\s+is\s+(?:password[-\s]?)\s+protected\.\s*The\s+password\s+is\s*:?',
'(?:Access|Preview|Unlock|Decrypt)\s+(?:\S+\s+){0,3}PDF(?:\S+\s+){0,3}pass(?:word|code)'
)
)
)
)
// not forwards/replies
and not (
(length(headers.references) > 0 or headers.in_reply_to is not null)
and (subject.is_forward or subject.is_reply)
and length(body.previous_threads) >= 1
)
and (
(
profile.by_sender_email().prevalence in ("new", "outlier")
and not profile.by_sender_email().solicited
)
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
or (
length(recipients.to) == 0
or all(recipients.to,
strings.ilike(.display_name, "undisclosed?recipients")
)
)
or (
length(recipients.to) == 1
and any(recipients.to, .email.email == sender.email.email)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Encryption"
- "Evasion"
- "PDF"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Exif analysis"
- "File analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "c9596c9a-0465-5364-8523-542e6d25a8f7"