sublimemediumRule

Link: PDF display text with fake copyright claim template

Detects messages containing fake copyright claims with table rows with 25px height images and links where the display text references PDF content, potentially indicating malicious PDF delivery attempts through deceptive formatting.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1204.002 T1486 T1036 T1027

defense-evasion

Detection Query

type.inbound
and any(html.xpath(body.html, '//tr[td[1]/img[@height="25px"]]/td[2]//a]').nodes,
        strings.icontains(.display_text, "PDF")
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Link: PDF display text with fake copyright claim template"
description: "Detects messages containing fake copyright claims with table rows with 25px height images and links where the display text references PDF content, potentially indicating malicious PDF delivery attempts through deceptive formatting."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(html.xpath(body.html, '//tr[td[1]/img[@height="25px"]]/td[2]//a]').nodes,
          strings.icontains(.display_text, "PDF")
  )

attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Image as content"
  - "PDF"
detection_methods:
  - "Content analysis"
  - "HTML analysis"
id: "e67418db-f67f-5c8e-ad9f-fcee22596fa7"