← Back to Explore
sublimemediumRule
Attachment: PDF with fake invoice using suspicious font sizing
PDF attachment contains a fake invoice with suspicious font size patterns and unique image sizes, typically used in fraudulent billing schemes.
Detection Query
type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.yara.matches,
.name == "pdf_fake_invoice_image_font_sizes"
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: PDF with fake invoice using suspicious font sizing"
description: "PDF attachment contains a fake invoice with suspicious font size patterns and unique image sizes, typically used in fraudulent billing schemes."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.yara.matches,
.name == "pdf_fake_invoice_image_font_sizes"
)
)
)
attack_types:
- "BEC/Fraud"
- "Callback Phishing"
tactics_and_techniques:
- "PDF"
- "Social engineering"
detection_methods:
- "File analysis"
- "YARA"
- "Content analysis"
id: "d7721177-8a36-56ef-9e1e-8a54c6a0409b"