• Sublime Core Feed
Medium Severity

Attachment: Encrypted PDF With Credential Theft Body

Labels

Credential Phishing
Encryption
Evasion
PDF
Social engineering
Content analysis
Exif analysis
File analysis
Natural Language Understanding
Sender analysis

Description

Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.

References

No references.

Sublime Security
Created Aug 27th, 2024 • Last updated Oct 10th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        .file_type == "pdf"
        and any(file.explode(.),
                any(.scan.exiftool.fields, .key == "Encryption")
                or (
                  .scan.entropy.entropy > 7
                  and any(.scan.strings.strings,
                          strings.icontains(., "/Encrypt")
                  )
                )
        )
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence in ("medium", "high")
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started