Medium Severity
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
Description
Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated May 3rd, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b')
and .domain.root_domain not in $tranco_1m
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
Playground
Test against your own EMLs or sample data.