Medium Severity
Attachment: Legal Themed Message with PDF Containing Suspicious Link
Description
Message contains urgent legal language, with an attached PDF containing links that redirect through URL shorteners, use suspicious TLDs or CAPTCHA pages.
References
No references.
Sublime Security
Created Jun 6th, 2025 • Last updated Jun 6th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
// short body
and length(body.current_thread.text) < 1500
// // legal with urgency
and any(beta.ml_topic(body.html.display_text).topics,
.name == "Legal and Compliance" and .confidence in ("medium", "high")
)
// is not a reply
and length(headers.references) == 0
and headers.in_reply_to is null
and (
// only one attachment
length(attachments) == 1
// or, any 2 attachments share the ~same file name
or any(attachments,
any(regex.extract(.file_name,
// the regex extracts the file name, discarding the file extention and any numbers in parens
// "test.txt" and "test (1).pdf" become "test"
'(?P<file_name>.*?)(?:\s*\([^)]+\))*\.[^.]+$'
),
length(filter(attachments,
strings.istarts_with(.file_name,
..named_groups["file_name"]
)
)
) > 1
)
)
)
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.),
0 < length(.scan.pdf.urls) < 5
and (
// exported from google docs
strings.icontains(.scan.exiftool.producer,
"Google Docs Renderer"
)
and any(.scan.pdf.urls,
// with links that are URL shortners
.domain.root_domain in $url_shorteners
or .domain.domain in $url_shorteners
// when visiting those links, the link it is sus
or ml.link_analysis(.).effective_url.domain.tld in $suspicious_tlds
or ml.link_analysis(.).credphish.contains_captcha
or ml.link_analysis(.).credphish.disposition == "phishing"
or strings.icontains(ml.link_analysis(.).final_dom.display_text,
"I'm Human"
)
)
)
)
)
Playground
Test against your own EMLs or sample data.