EXPLORE
← Back to Explore
sublimemediumRule

Attachment: PDF with fake invoice using suspicious font sizing

PDF attachment contains a fake invoice with suspicious font size patterns and unique image sizes, typically used in fraudulent billing schemes.

MITRE ATT&CK

initial-access

Detection Query

type.inbound
and any(filter(attachments, .file_type == "pdf"),
        any(file.explode(.),
            any(.scan.yara.matches,
                .name == "pdf_fake_invoice_image_font_sizes"
            )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: PDF with fake invoice using suspicious font sizing"
description: "PDF attachment contains a fake invoice with suspicious font size patterns and unique image sizes, typically used in fraudulent billing schemes."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(filter(attachments, .file_type == "pdf"),
          any(file.explode(.),
              any(.scan.yara.matches,
                  .name == "pdf_fake_invoice_image_font_sizes"
              )
          )
  )
attack_types:
  - "BEC/Fraud"
  - "Callback Phishing"
tactics_and_techniques:
  - "PDF"
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "YARA"
  - "Content analysis"
id: "d7721177-8a36-56ef-9e1e-8a54c6a0409b"