Description

Attached PDF is encrypted, and email body contains credential theft language, wrapped in an attached .eml file. Seen in-the-wild impersonating e-fax services.

References

No references.

Sublime Security
Created Jul 13th, 2026 • Last updated Jul 13th, 2026
Source
type.inbound
and any(attachments,
        any(filter(file.parse_eml(.).attachments, .file_type == "pdf"),
            any(file.explode(.),
                any(.scan.exiftool.fields, .key == "Encryption")
                or (
                  .scan.entropy.entropy > 7
                  and any(.scan.strings.strings,
                          strings.icontains(., "/Encrypt")
                  )
                )
            )
            // Encrypted PDFs do not have child nodes with any data
            and all(filter(file.explode(.), .depth > 0), .size == 0)
        )
        and (
          any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).intents,
              .name == "cred_theft" and .confidence in ("medium", "high")
          )
          or any(ml.nlu_classifier(beta.ocr(file.html_screenshot(file.parse_eml(.
                                                                 ).body.html
                                            )
                                   ).text
                 ).intents,
                 .name == "cred_theft" and .confidence in ("medium", "high")
          )
          or regex.icontains(file.parse_eml(.).body.current_thread.text,
                             'PDF\s*(?:Access|Preview|Unlock|Decrypt|passcode)',
                             '(?:Access|Preview|Unlock|Decrypt|Pass)\s*(?:word|code)\s*(?:\S+\s+){0,3}PDF\s*is?\s*:',
                             'This\s+(?:file|document|pdf)\s+is\s+(?:password[-\s]?)\s+protected\.\s*The\s+password\s+is\s*:?',
                             '(?:Access|Preview|Unlock|Decrypt)\s+(?:\S+\s+){0,3}(?:PDF|statement)(?:\S+\s+){0,3}(?:pass(?:word|code)|\s*with\s+\S+)'
          )
          or (
            (
              length(file.parse_eml(.).body.current_thread.text) <= 10
              or (file.parse_eml(.).body.current_thread.text is null)
            )
            and any(file.parse_eml(.).body.previous_threads,
                    regex.icontains(.text,
                                    'PDF\s*(?:Access|Preview|Unlock|Decrypt|passcode)',
                                    '(?:Access|Preview|Unlock|Decrypt|Pass)\s*(?:word|code)\s*(?:\S+\s+){0,3}PDF\s*is?\s*:',
                                    'This\s+(?:file|document|pdf)\s+is\s+(?:password[-\s]?)\s+protected\.\s*The\s+password\s+is\s*:?',
                                    '(?:Access|Preview|Unlock|Decrypt)\s+(?:\S+\s+){0,3}(?:PDF|statement)(?:\S+\s+){0,3}(?:pass(?:word|code)|\s*with\s+\S+)'
                    )
            )
          )
        )
)
// not forwards/replies
and not (
  (length(headers.references) > 0 or headers.in_reply_to is not null)
  and (subject.is_forward or subject.is_reply)
  and length(body.previous_threads) >= 1
)
and (
  (
    profile.by_sender_email().prevalence in ("new", "outlier")
    and not profile.by_sender_email().solicited
  )
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
  or (
    length(recipients.to) == 0
    or (
      all(recipients.to, .email.domain.valid == false)
      and all(recipients.cc, .email.domain.valid == false)
    )
  )
  or (
    length(recipients.to) == 1
    and any(recipients.to, .email.email == sender.email.email)
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started