High Severity
Attachment: Decoy PDF Author (Julie P.)
Description
This detection rule matches on messages containing one or more Decoy PDF attachments with metadata discovered to have been assoicated with malicious email campaigns featuring CrowdStrike, DocuSign, Human Resource and password expiration lures.
References
No references.
Sublime Security
Created Jul 26th, 2024 • Last updated Oct 2nd, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and length(attachments) > 0
and any(attachments,
.size <= 250000
and .file_extension == "pdf"
and any(file.explode(.),
(
.scan.exiftool.producer == "DocFly"
or any(.scan.exiftool.fields,
.key == "XMPToolkit"
and strings.icontains(.value, 'DynaPDF')
)
)
and (
any(.scan.exiftool.fields,
.key == "CreatorTool"
and .value == "Acrobat PDFMaker 24 for Word"
)
or any(.scan.exiftool.fields,
.key == "ContentTypeId"
and .value == "2.2388136001807807e+43"
)
or any(.scan.exiftool.fields,
.key == "Creator"
and .value in ('Julie Peters', 'Julie Pieters')
)
or any(.scan.exiftool.fields,
.key == "Author"
and .value in ('Julie Peters', 'Julie Pieters')
)
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.