EXPLORE

EXPLORE DETECTIONS

🔍
1,155 detections found

Attachment: Office file with credential phishing URLs

Detects Office documents containing embedded URLs that redirect to credential phishing pages. The rule filters out standard XML namespace and schema URLs commonly found in legitimate Office documents, then analyzes remaining URLs for malicious content using machine learning link analysis.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Attachment: Office file with document sharing and browser instruction lures

Detects macro-enabled attachments containing document sharing language (sent, shared, forwarded) combined with browser interaction instructions (copy, right-click) or common email disclaimers. These tactics are often used to trick users into enabling macros or following malicious instructions.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: Office file with suspicious function calls or downloaded file path

Attached Office file contains suspicious function calls or known malicious file path pattern.

T1566.001T1204.002T1486T1036T1027+1
Sublimehigh

Attachment: OLE external relationship containing file scheme link to executable filetype

This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software.

T1566.001T1204.002T1486T1036T1027
Sublimehigh

Attachment: OLE external relationship containing file scheme link to IP address

This rule identifies attachments containing file scheme links pointing to IP Addresses, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software. The rule negates firing on IP addresses governed by RFC1918 or privately allocated space.

T1566.001T1204.002T1486T1036T1027
Sublimehigh

Attachment: Password-protected PDF with fake document indicators

Detects PDF attachments that are password protected and matching YARA signatures looking for specific content observed in previous activity.

T1566.001T1204.002T1486T1566T1566.002+4
Sublimemedium

Attachment: PDF Attachment with links to workers.dev

Detects inbound messages containing PDF attachments with fewer than 5 pages that, when analyzed, contain URLs pointing to workers.dev subdomains. This pattern indicates potential abuse of Cloudflare Workers infrastructure to host malicious content delivered via PDF documents.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Attachment: PDF bid/proposal lure with credential theft indicators

Detects single-page PDF attachments containing bid, proposal, RFP, RFQ, or quotation-related lures combined with high-confidence credential theft language or suspicious domains. The rule examines various locations including PDF URLs, OCR content, file names, subject lines, and message body for these indicators.

T1566.002T1534T1656T1566T1566.001+1
Sublimemedium

Attachment: PDF contains W9 or invoice YARA signatures

PDF attachment contains YARA signatures commonly associated with fraudulent W9 tax forms or invoice documents, which are frequently used in social engineering attacks to steal sensitive information or facilitate business email compromise.

T1566.002T1534T1656T1566T1566.001+1
Sublimemedium

Attachment: PDF file with embedded content

Threat actors may embed files within PDF documents, including macro-enabled documents, in an attempt to bypass security controls and social engineer a recipient into running malicious code.

T1566.001T1204.002T1486
Sublimehigh

Attachment: PDF file with link to fake Bitcoin exchange

Fraudulent message containing a PDF notification of unclaimed Bitcoin assets. The PDF file contains a link to a fake Cryptocurrency portal. Attempting to withdraw funds prompts the user to enter payment information.

T1566.002T1534T1656T1598.003T1566+1
Sublimelow

Attachment: PDF file with low reputation link to ZIP file (unsolicited)

Detects messages with PDF attachments linking directly to zip files from unsolicited senders.

T1566.001T1204.002T1486T1036T1027
Sublimemedium

Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)

Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.

T1566.001T1204.002T1486T1036T1027
Sublimemedium

Attachment: PDF file with recipient domain and ATT eCheckRun pattern

Detects PDF attachments with filenames containing the recipient's domain, potentially indicating targeted financial document spoofing.

T1566.002T1534T1656T1566T1598
Sublimemedium

Attachment: PDF generated with wkhtmltopdf tool and default title

Detects PDF attachments that were generated using the wkhtmltopdf conversion tool, which converts HTML/CSS to PDF. This tool is commonly used by attackers to create legitimate-looking PDF documents from web content for social engineering purposes.

T1566.002T1534T1656T1566.003T1598+6
Sublimelow

Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification

Detects PDF attachments containing a specific object hash (63bf167b66091a4bc53e8944a76f6b08) that may indicate malicious content or known threat indicators.

T1566.001T1204.002T1486T1036T1027
Sublimemedium

Attachment: PDF Object Hash associated with a fake invoice and a W-9

Matching PDF Object Hash associated with a fake invoice followed by a W-9.

T1566.002T1534T1656T1036T1027
Sublimehigh

Attachment: PDF Object Hash associated with fake Canada Revenue Agency documents

Matching PDF Object Hash associated with chrome -> export to pdf of a shared document related to Canada's Revenue Agency.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimemedium

Attachment: PDF Object Hash with Blue File Icon

Detects PDF attachments containing a specific object hash (8638ef6bfe382a927aa12a18f2150757) associated with encrypted PDFs leading to cred phishing.

T1566.001T1204.002T1486T1036T1027
Sublimemedium

Attachment: PDF proposal with credential theft indicators

PDF attachment with 'proposal' in filename contains sender or recipient domain, credential theft language detected via OCR, and includes a single URL link.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: PDF with a suspicious string and single URL

Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: PDF with blurry lure image

Detects PDF attachments containing a blurry image used in credential phishing lures.

T1566T1566.001T1566.002T1598
Sublimemedium

Attachment: PDF with credential theft language and invalid reply-to domain

Detects PDF attachments containing high-confidence credential theft language that references the recipient's email address, combined with an invalid reply-to domain header.

T1566T1566.001T1566.002T1598
Sublimemedium

Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)

Detects messages with credential theft PDFs linking to free subdomains.

T1566T1566.001T1566.002T1598
Sublimemedium
PreviousPage 8 of 49Next