Medium Severity

Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)

Labels

Malware/Ransomware

Evasion

Description

Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "request"
)
and any(attachments,
        .file_extension == "pdf"
        and any(file.explode(.),
                any(.scan.pdf.urls,
                    regex.contains(.path,
                                   '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b'
                    )
                    and .domain.root_domain not in $tranco_1m
                )
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.