Attachment: Fake voicemail via PDF

name: "Attachment: Fake voicemail via PDF"
description: "Identifies inbound messages containing a single-page PDF attachment related to voicemail or missed call notifications that includes either a URL or QR code."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // a single PDF attachment
  and length(attachments) == 1
  // the subject doesn't contain fax, which is currently a common match for the topic
  and not strings.icontains(subject.subject, 'fax')
  and ml.nlu_classifier(subject.subject).language == "english"
  and any(beta.ml_topic(body.current_thread.text).topics,
          .confidence == "high"
          and .name == "Voicemail Call and Missed Call Notifications"
  )
  // the Topic analysis of the PDF is Voicemail
  and any(attachments,
          .file_extension == "pdf"
          // the NLU detected language is english
          and ml.nlu_classifier(beta.ocr(.).text).language == "english"
          and length(beta.ocr(.).text) > 100
          and any(beta.ml_topic(beta.ocr(.).text).topics,
                  .confidence == "high"
                  and .name == "Voicemail Call and Missed Call Notifications"
          )
          and beta.ocr(.).success
          // contains a link or QR code
          and any(file.explode(.),
                  0 < length(.scan.pdf.urls) <= 2 or .scan.qr.url.url is not null
          )
          // there is only a single page
          and any(file.explode(.), .depth == 0 and .scan.exiftool.page_count == 1)
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "PDF"
  - "QR code"
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "Content analysis"
  - "File analysis"
  - "Optical Character Recognition"
  - "QR code analysis"
  - "URL analysis"
id: "d3587209-a8e6-5209-8dfc-35646b6ccd23"