Medium Severity

Attachment: PDF with credential theft language and invalid reply-to domain

Labels

Credential Phishing
PDF
Social engineering
Spoofing
File analysis
Header analysis
Natural Language Understanding
Content analysis

Description

Detects PDF attachments containing high-confidence credential theft language that references the recipient's email address, combined with an invalid reply-to domain header.

References

No references.

Sublime Security
Created Apr 10th, 2026 • Last updated Apr 10th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and any(headers.reply_to, .email.email == "")
and any(attachments,
        .file_type == 'pdf'
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.strings.raw).intents,
                    .name == 'cred_theft' and .confidence == 'high'
                )
                and strings.icontains(.scan.strings.raw,
                                      recipients.to[0].email.email
                )
        )
)
// negate highly trusted sender domains unless they fail DMARC authentication or DMARC is missing
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started