EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Attachment: PDF with suspicious HeadlessChrome metadata

Detects PDF attachments created by HeadlessChrome with suspicious characteristics, including MD5-formatted HTML filenames or blank titles with Windows Skia/PDF producer, excluding legitimate Google Docs files.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1204.002T1486T1036T1027
defense-evasion

Detection Query

type.inbound
and any(filter(attachments, .file_extension == "pdf"),
        strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
        and beta.parse_exif(.).page_count == 1
        and (
          // MD5 filename, 32 hex chars and .html
          (
            regex.imatch(beta.parse_exif(.).title, '^[a-f0-9]{32}\.html$')
            or 
            // about:blank and Windows HeadlessChrome
            (
              beta.parse_exif(.).title == "about:blank"
              and strings.istarts_with(beta.parse_exif(.).producer, "Skia/PDF")
              and strings.icontains(beta.parse_exif(.).creator, "Windows")
            )
            // cred theft intents on the message and Windows Headless Chrome
            or (
              any(ml.nlu_classifier(body.current_thread.text).intents,
                  .name == "cred_theft" and .confidence != "low"
              )
              and strings.istarts_with(beta.parse_exif(.).producer, "Skia/PDF")
              and strings.icontains(beta.parse_exif(.).creator, "Windows")
            )
          )
          and not strings.icontains(beta.parse_exif(.).producer, "Google Docs")
        )
)
and not (
  sender.email.domain.root_domain in (
    "guardtek.net",
    "gominis.com",
    "aglgroup.com",
    "truckerzoom.com"
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Attachment: PDF with suspicious HeadlessChrome metadata"
description: "Detects PDF attachments created by HeadlessChrome with suspicious characteristics, including MD5-formatted HTML filenames or blank titles with Windows Skia/PDF producer, excluding legitimate Google Docs files."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(filter(attachments, .file_extension == "pdf"),
          strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
          and beta.parse_exif(.).page_count == 1
          and (
            // MD5 filename, 32 hex chars and .html
            (
              regex.imatch(beta.parse_exif(.).title, '^[a-f0-9]{32}\.html$')
              or 
              // about:blank and Windows HeadlessChrome
              (
                beta.parse_exif(.).title == "about:blank"
                and strings.istarts_with(beta.parse_exif(.).producer, "Skia/PDF")
                and strings.icontains(beta.parse_exif(.).creator, "Windows")
              )
              // cred theft intents on the message and Windows Headless Chrome
              or (
                any(ml.nlu_classifier(body.current_thread.text).intents,
                    .name == "cred_theft" and .confidence != "low"
                )
                and strings.istarts_with(beta.parse_exif(.).producer, "Skia/PDF")
                and strings.icontains(beta.parse_exif(.).creator, "Windows")
              )
            )
            and not strings.icontains(beta.parse_exif(.).producer, "Google Docs")
          )
  )
  and not (
    sender.email.domain.root_domain in (
      "guardtek.net",
      "gominis.com",
      "aglgroup.com",
      "truckerzoom.com"
    )
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )

tags:
- "Attack surface reduction"
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "PDF"
detection_methods:
  - "File analysis"
  - "Exif analysis"
id: "eda99b1d-5639-57a0-860e-2d55b7f3b84f"