• Sublime Core Feed
Medium Severity

Attachment: Encrypted PDF with credential theft body

Labels

Credential Phishing
Encryption
Evasion
PDF
Social engineering
Content analysis
Exif analysis
File analysis
Natural Language Understanding
Sender analysis

Description

Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.

References

No references.

Sublime Security
Created Aug 27th, 2024 • Last updated Feb 26th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(filter(attachments, .file_type == "pdf"),
        any(file.explode(.),
            any(.scan.exiftool.fields, .key == "Encryption")
            or (
              .scan.entropy.entropy > 7
              and any(.scan.strings.strings, strings.icontains(., "/Encrypt"))
            )
        )
        // Encrypted PDFs do not have child nodes with any data
        and all(filter(file.explode(.), .depth > 0), .size == 0)
)
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "cred_theft" and .confidence in ("medium", "high")
  )
  or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence in ("medium", "high")
  )
  or regex.icontains(body.current_thread.text,
                     'PDF\s*(?:Access|Preview|Unlock|Decrypt)\s*(?:Pass)?code',
                     '(Access|Preview|Unlock|Decrypt|Pass)\s*(?:word|code)\s*(?:\S+\s+){0,3}PDF\s*is?\s*:',
                     'This\s+(?:file|document|pdf)\s+is\s+(?:password[-\s]?)\s+protected\.\s*The\s+password\s+is\s*:?',
                     '(?:Access|Preview|Unlock|Decrypt)\s+(?:\S+\s+){0,3}PDF(?:\S+\s+){0,3}pass(?:word|code)'
  )
  or (
    (
      length(body.current_thread.text) <= 10
      or (body.current_thread.text is null)
    )
    and any(body.previous_threads,
            regex.icontains(.text,
                            'PDF\s*(?:Access|Preview|Unlock|Decrypt)\s*(?:Pass)?code',
                            '(Access|Preview|Unlock|Decrypt|Pass)\s*(?:word|code)\s*(?:\S+\s+){0,3}PDF\s*is?\s*:',
                            'This\s+(?:file|document|pdf)\s+is\s+(?:password[-\s]?)\s+protected\.\s*The\s+password\s+is\s*:?',
                            '(?:Access|Preview|Unlock|Decrypt)\s+(?:\S+\s+){0,3}PDF(?:\S+\s+){0,3}pass(?:word|code)'
            )
    )
  )
)
// not forwards/replies
and not (
  (length(headers.references) > 0 or headers.in_reply_to is not null)
  and (subject.is_forward or subject.is_reply)
  and length(body.previous_threads) >= 1
)
and (
  (
    profile.by_sender_email().prevalence in ("new", "outlier")
    and not profile.by_sender_email().solicited
  )
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
  or (
    length(recipients.to) == 0
    or all(recipients.to,
           strings.ilike(.display_name, "undisclosed?recipients")
    )
  )
  or (
    length(recipients.to) == 1
    and any(recipients.to, .email.email == sender.email.email)
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started