• Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
Login to Sublime
Medium Severity

Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)

Description

Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated May 3rd, 2024
Source
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
and any(attachments,
        .file_extension == "pdf"
        and any(file.explode(.),
                any(.scan.pdf.urls,
                    regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b')
                    and .domain.root_domain not in $tranco_1m
                )
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.