Medium Severity

Attachment: PDF with localhost IP in EXIF title metadata

Labels

Credential Phishing
Malware/Ransomware
PDF
Evasion
Exif analysis
File analysis
Sender analysis

Description

Detects inbound PDF attachments where the EXIF title metadata starts with '127.0.0.1', sent either to a self-addressed recipient or an invalid recipient domain. This technique may indicate automated or malicious document generation tools embedding localhost references in file metadata.

References

No references.

Sublime Security
Created Jun 29th, 2026 • Last updated Jun 29th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// self sender or invaild recipent domain
and length(recipients.to) == 1
and (
  sender.email.email == recipients.to[0].email.email
  or recipients.to[0].email.domain.valid == false
)
and any(filter(attachments, .file_type == "pdf"),
        strings.starts_with(beta.parse_exif(.).title, "127.0.0.1")
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started