Medium Severity

Attachment: PDF with suspicious HeadlessChrome metadata

Labels

Credential Phishing

Malware/Ransomware

Description

Detects PDF attachments created by HeadlessChrome with suspicious characteristics, including MD5-formatted HTML filenames or blank titles with Windows Skia/PDF producer, excluding legitimate Google Docs files.

References

No references.

Sublime Security

Created Jan 8th, 2026 • Last updated Jan 8th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(filter(attachments, .file_extension == "pdf"),
        strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
        and beta.parse_exif(.).page_count == 1
        and (
          // MD5 filename, 32 hex chars and .html
          regex.imatch(beta.parse_exif(.).title, '^[a-f0-9]{32}\.html$')
          or 
          // about:blank and Windows HeadlessChrome 
          (
            beta.parse_exif(.).title == "about:blank"
            and strings.istarts_with(beta.parse_exif(.).producer, "Skia/PDF")
            and strings.icontains(beta.parse_exif(.).creator, "Windows")
          )
        )
        and not strings.icontains(beta.parse_exif(.).producer, "Google Docs")
)
and not (
  sender.email.domain.root_domain in (
    "guardtek.net",
    "gominis.com",
    "aglgroup.com",
    "truckerzoom.com"
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.