Medium Severity

Attachment: PDF with localhost IP in EXIF title metadata

Description

Detects inbound PDF attachments where the EXIF title metadata starts with '127.0.0.1', sent either to a self-addressed recipient or an invalid recipient domain. This technique may indicate automated or malicious document generation tools embedding localhost references in file metadata.

References

No references.

Sublime Security
Created Jun 29th, 2026 • Last updated Jun 29th, 2026
Source
type.inbound
// self sender or invaild recipent domain
and length(recipients.to) == 1
and (
  sender.email.email == recipients.to[0].email.email
  or recipients.to[0].email.domain.valid == false
)
and any(filter(attachments, .file_type == "pdf"),
        strings.starts_with(beta.parse_exif(.).title, "127.0.0.1")
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started