EXPLORE DETECTIONS
Attachment: Office file with credential phishing URLs
Detects Office documents containing embedded URLs that redirect to credential phishing pages. The rule filters out standard XML namespace and schema URLs commonly found in legitimate Office documents, then analyzes remaining URLs for malicious content using machine learning link analysis.
Attachment: Office file with document sharing and browser instruction lures
Detects macro-enabled attachments containing document sharing language (sent, shared, forwarded) combined with browser interaction instructions (copy, right-click) or common email disclaimers. These tactics are often used to trick users into enabling macros or following malicious instructions.
Attachment: Office file with suspicious function calls or downloaded file path
Attached Office file contains suspicious function calls or known malicious file path pattern.
Attachment: OLE external relationship containing file scheme link to executable filetype
This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software.
Attachment: OLE external relationship containing file scheme link to IP address
This rule identifies attachments containing file scheme links pointing to IP Addresses, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software. The rule negates firing on IP addresses governed by RFC1918 or privately allocated space.
Attachment: Password-protected PDF with fake document indicators
Detects PDF attachments that are password protected and matching YARA signatures looking for specific content observed in previous activity.
Attachment: PDF Attachment with links to workers.dev
Detects inbound messages containing PDF attachments with fewer than 5 pages that, when analyzed, contain URLs pointing to workers.dev subdomains. This pattern indicates potential abuse of Cloudflare Workers infrastructure to host malicious content delivered via PDF documents.
Attachment: PDF bid/proposal lure with credential theft indicators
Detects single-page PDF attachments containing bid, proposal, RFP, RFQ, or quotation-related lures combined with high-confidence credential theft language or suspicious domains. The rule examines various locations including PDF URLs, OCR content, file names, subject lines, and message body for these indicators.
Attachment: PDF contains W9 or invoice YARA signatures
PDF attachment contains YARA signatures commonly associated with fraudulent W9 tax forms or invoice documents, which are frequently used in social engineering attacks to steal sensitive information or facilitate business email compromise.
Attachment: PDF file with embedded content
Threat actors may embed files within PDF documents, including macro-enabled documents, in an attempt to bypass security controls and social engineer a recipient into running malicious code.
Attachment: PDF file with link to fake Bitcoin exchange
Fraudulent message containing a PDF notification of unclaimed Bitcoin assets. The PDF file contains a link to a fake Cryptocurrency portal. Attempting to withdraw funds prompts the user to enter payment information.
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.
Attachment: PDF file with recipient domain and ATT eCheckRun pattern
Detects PDF attachments with filenames containing the recipient's domain, potentially indicating targeted financial document spoofing.
Attachment: PDF generated with wkhtmltopdf tool and default title
Detects PDF attachments that were generated using the wkhtmltopdf conversion tool, which converts HTML/CSS to PDF. This tool is commonly used by attackers to create legitimate-looking PDF documents from web content for social engineering purposes.
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification
Detects PDF attachments containing a specific object hash (63bf167b66091a4bc53e8944a76f6b08) that may indicate malicious content or known threat indicators.
Attachment: PDF Object Hash associated with a fake invoice and a W-9
Matching PDF Object Hash associated with a fake invoice followed by a W-9.
Attachment: PDF Object Hash associated with fake Canada Revenue Agency documents
Matching PDF Object Hash associated with chrome -> export to pdf of a shared document related to Canada's Revenue Agency.
Attachment: PDF Object Hash with Blue File Icon
Detects PDF attachments containing a specific object hash (8638ef6bfe382a927aa12a18f2150757) associated with encrypted PDFs leading to cred phishing.
Attachment: PDF proposal with credential theft indicators
PDF attachment with 'proposal' in filename contains sender or recipient domain, credential theft language detected via OCR, and includes a single URL link.
Attachment: PDF with a suspicious string and single URL
Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks.
Attachment: PDF with blurry lure image
Detects PDF attachments containing a blurry image used in credential phishing lures.
Attachment: PDF with credential theft language and invalid reply-to domain
Detects PDF attachments containing high-confidence credential theft language that references the recipient's email address, combined with an invalid reply-to domain header.
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
Detects messages with credential theft PDFs linking to free subdomains.