• Sublime Core Feed
High Severity

Attachment: Self-sender PDF with minimal content and view prompt

Labels

Credential Phishing
Malware/Ransomware
PDF
Social engineering
Evasion
Content analysis
File analysis
Sender analysis

Description

Detects messages where the sender and recipient are the same address with a PDF attachment containing only 'VIEW PDF' text and a standardized body message requesting to view the attachment.

References

No references.

Sublime Security
Created Feb 3rd, 2026 • Last updated Feb 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// self sender
and length(recipients.to) == 1
and (
  sender.email.email == recipients.to[0].email.email
  or recipients.to[0].email.domain.valid == false
)
and strings.starts_with(body.current_thread.text, 'Please see attached')
and any(filter(attachments, .file_type == 'pdf'),
        any(file.explode(.),
            .scan.strings.strings[0] == 'VIEW PDF'
            and length(.scan.strings.strings) == 1
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started