Medium Severity

Attachment: PDF with suspicious HeadlessChrome metadata

Labels

Credential Phishing

Malware/Ransomware

Description

Detects PDF attachments created by HeadlessChrome with suspicious characteristics, including MD5-formatted HTML filenames or blank titles with Windows Skia/PDF producer, excluding legitimate Google Docs files.

References

No references.

Sublime Security

Created Jan 8th, 2026 • Last updated May 1st, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(filter(attachments, .file_extension == "pdf"),
        strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
        and beta.parse_exif(.).page_count == 1
        and (
          // MD5 filename, 32 hex chars and .html
          (
            regex.imatch(beta.parse_exif(.).title, '^[a-f0-9]{32}\.html$')
            or 
            // about:blank and Windows HeadlessChrome
            (
              beta.parse_exif(.).title == "about:blank"
              and strings.istarts_with(beta.parse_exif(.).producer, "Skia/PDF")
              and strings.icontains(beta.parse_exif(.).creator, "Windows")
            )
            // cred theft intents on the message and Windows Headless Chrome
            or (
              any(ml.nlu_classifier(body.current_thread.text).intents,
                  .name == "cred_theft" and .confidence != "low"
              )
              and strings.istarts_with(beta.parse_exif(.).producer, "Skia/PDF")
              and strings.icontains(beta.parse_exif(.).creator, "Windows")
            )
          )
          and not strings.icontains(beta.parse_exif(.).producer, "Google Docs")
        )
)
and not (
  sender.email.domain.root_domain in (
    "guardtek.net",
    "gominis.com",
    "aglgroup.com",
    "truckerzoom.com"
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.