Attachment: Adobe branded PDF file linking to a password-protected file from first-time sender
Detects pdf files with links to a remotely hosted password-protected file. This is a common technique
abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)
type.inbound and any(attachments, .file_extension == "pdf" and any(file.explode(.), any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft" and .confidence == "high" ) and strings.icontains(.scan.ocr.raw, "password-protected") and any(ml.nlu_classifier(.scan.ocr.raw).entities, .name == "org" and .text == "Adobe" ) ) ) and ( profile.by_sender().prevalence in ("new", "outlier") or ( profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) )
Test against your own EMLs or sample data.
Get Started. Today.
Managed or self-managed. No MX changes.