Medium Severity

Attachment: Fake Voicemail via PDF

Labels

Credential Phishing

PDF

Optical Character Recognition

QR code analysis

URL analysis

Description

Identifies inbound messages containing a single-page PDF attachment related to voicemail or missed call notifications that includes either a URL or QR code.

References

No references.

Sublime Security

Created Apr 30th, 2025 • Last updated Apr 30th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// a single PDF attachment
and length(attachments) == 1
// the subject doesn't contain fax, which is currently a common match for the topic
and not strings.icontains(subject.subject, 'fax')
and ml.nlu_classifier(subject.subject).language == "english"
and any(beta.ml_topic(body.current_thread.text).topics,
        .confidence == "high"
        and .name == "Voicemail Call and Missed Call Notifications"
)
// the Topic analysis of the PDF is Voicemail
and any(attachments,
        .file_extension == "pdf"
        // the NLU detected language is english
        and ml.nlu_classifier(beta.ocr(.).text).language == "english"
        and length(beta.ocr(.).text) > 100
        and any(beta.ml_topic(beta.ocr(.).text).topics,
                .confidence == "high"
                and .name == "Voicemail Call and Missed Call Notifications"
        )
        and beta.ocr(.).success
        // contains a link or QR code
        and any(file.explode(.),
                0 < length(.scan.pdf.urls) <= 2 or .scan.qr.url.url is not null
        )
        // there is only a single page
        and any(file.explode(.), .depth == 0 and .scan.exiftool.page_count == 1)
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.