EXPLORE DETECTIONS
Attachment: PDF generated with wkhtmltopdf tool and default title
Detects PDF attachments that were generated using the wkhtmltopdf conversion tool, which converts HTML/CSS to PDF. This tool is commonly used by attackers to create legitimate-looking PDF documents from web content for social engineering purposes.
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification
Detects PDF attachments containing a specific object hash (63bf167b66091a4bc53e8944a76f6b08) that may indicate malicious content or known threat indicators.
Attachment: PDF proposal with credential theft indicators
PDF attachment with 'proposal' in filename contains sender or recipient domain, credential theft language detected via OCR, and includes a single URL link.
Attachment: PDF with a suspicious string and single URL
Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks.
Attachment: PDF with credential theft language and invalid reply-to domain
Detects PDF attachments containing high-confidence credential theft language that references the recipient's email address, combined with an invalid reply-to domain header.
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
Detects messages with credential theft PDFs linking to free subdomains.
Attachment: PDF with embedded Javascript
PDF contains embedded Javascript.
Attachment: PDF with link to DMG file download
This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware.
Attachment: PDF with link to zip containing a wsf file
Detects a PDF attachment with a link to a ZIP file that contains a WSF file
Attachment: PDF with Microsoft Purview message impersonation
Detects PDF attachments containing text that impersonates Microsoft Purview secure message notifications, potentially used to trick users into believing they have received legitimate secure communications from Microsoft services.
Attachment: PDF with multistage landing - ClickUp abuse
Detects PDF attachments containing ClickUp document links that either redirect to unavailable pages or contain embedded links leading to newly registered domains, free file hosts, URL shorteners, or verified credential theft pages.
Attachment: PDF with password in filename matching body text
Detects messages containing a single PDF attachment where the filename includes a numeric password that is explicitly referenced in the message body text.
Attachment: PDF with personal Microsoft OneNote URL
Detects PDF attachments containing a sharepoint URL referencing the senders personal OneNote.
Attachment: PDF with recipient email in link
Detects PDF attachments that contain the recipient's domain in the filename and include a link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.
Attachment: PDF with ReportLab library and default metadata
Detects PDF attachments generated using the ReportLab PDF Library with default anonymous metadata values, including untitled document, anonymous creator/author, and unspecified subject. This combination of characteristics is commonly associated with automated PDF generation tools used in malicious activities.
Attachment: PDF with suspicious HeadlessChrome metadata
Detects PDF attachments created by HeadlessChrome with suspicious characteristics, including MD5-formatted HTML filenames or blank titles with Windows Skia/PDF producer, excluding legitimate Google Docs files.
Attachment: PDF with suspicious language and redirect to suspicious file type
Attached PDF contains credential theft language, and links to an open redirect to a suspicious file type. This has been observed in-the-wild as a Qakbot technique.
Attachment: PDF with suspicious link and action-oriented language
Detects PDF attachments containing a single link that leads to pages with language prompting users to view, review, or read documents, accounts, or business-related content such as bids, proposals, agreements, or contracts.
Attachment: Potential sandbox evasion in Office file
Scans attached files with known Office file extension, and alerts on the presence of strings indicative of sandbox evasion checks. Malicious code may carry out checks against the local host (e.g. running processes, disk size, domain-joined status) before running its final payload.
Attachment: PowerPoint with suspicious hyperlink
Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.
Attachment: PowerShell content
Recursively scans files and archives to detect PowerShell content. While scripts are often blocked by mail filtering, alternative file formats and archived content may be employed to bypass such controls.
Attachment: Python generated PDF with link
The PDF attachment was created with a Python-based script and contains one or more links. These techniques were used by PikaBot, among others.
Attachment: QR code link with base64-encoded recipient address
Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.
Attachment: QR code with credential phishing indicators
Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.