type.inbound
and length(attachments) == 1
and any(filter(attachments, .file_type == "pdf"),
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta featuer in custom rules is not suggested until it has been formally released.
//
any(beta.parse_exif(.).fields,
strings.icontains(.value, 'password protected')
)
and any(file.explode(.),
any(.scan.yara.matches,
.name in ("pwd_protected_pdf_fake_document_1")
)
)
)
Playground
Test against your own EMLs or sample data.