type.inbound
and any(attachments,
.file_type == "pdf"
// a single page pdf
and beta.parse_exif(.).page_count == 1
and any(filter(file.explode(.), .depth == 1),
// the pdf contains specific suspicious wording
// these are exact matches when split on new lines extracted from the text of the PDF from the scanPDF scanner
any(.scan.strings.strings,
regex.icontains(.,
// action!
'^\s*(?:view documents?|view pdf|preview new docusign|Download Secure PDF|VIEW DOCUMENT HERE|ACCESS DOCUMENT|REVIEW NEW SECURE DOCUMENT|OPEN SECURE VIEWER|DOWNLOAD RFP DOCUMENT|View Dashboard here|ACCESS SECURE DOCUMENTS|VIEW PROPOSAL DOCUMENTS|ACCESS / VIEW PROPOSAL DOCUMENT|Review & Sign Document|Open PDF|Access Document\(s\)|REVIEW SHARED DOCUMENT|New Secured Document|ACCESS SECURE RFP PORTAL|Please Review and Sign|Review and Validate|SECURE DOCUMENT|Open Document|View Details|Q!_Compensation/Salary Amendments\.pptx|PREVIEW DOCUMENT HERE|Download Tax Details Below:|Review and Sign Document|Review Document|Open Encrypted|OPEN DOCUMENT HERE|Click to read message)\s*$',
// "secure fax"
'View Secure Fax',
// more fake errors
'It seems there was an issue opening the document. Please view it online.',
// fake adobe update
'Update Adobe Viewer',
// fake sharepoint wording
'Learn more about messages protected by Microsoft',
// fake encryption crap
'This document is protected by 256-bit encryption.',
// sent you a document
'.*sent you a \S+ to review(?:\s*(?:and|&)\s*sign)$',
'^You received a \S+ to review and sign$',
// docusign
'\s*DocuSign Contract Under Review\s*'
)
)
// fake error messages
or (
'Error' in~ .scan.strings.strings
and any(.scan.strings.strings,
regex.icontains(., '^\s*(?:View Video)\s*$')
)
)
// really terse PDF with link
or (
length(.scan.strings.strings) == 1
and 'Some additional information here' in~ .scan.strings.strings
)
)
and any(file.explode(.), .depth == 0 and length(.scan.url.urls) == 1)
)
Playground
Test against your own EMLs or sample data.