High Severity

Attachment: Soda PDF producer with encryption themes

Labels

Description

Detects an observed TTP of using Soda PDF (which offers a free trial) to produce PDFs which OCR output contains references to encryption and mentions a PDF. The PDF contains a single link which has been observed linking to a credential phishing page.

References

No references.

Sublime Security

Created Jun 19th, 2025 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        .file_extension == "pdf"
        // observed producer
        and any(file.explode(.), .scan.exiftool.producer == "Soda PDF")
        and any(file.explode(.),
                // OCR contains "encryption" themes
                (
                  strings.icontains(.scan.ocr.raw, "has been encrypted")
                  or strings.icontains(.scan.ocr.raw, "encrypted pdf file")
                  or strings.icontains(.scan.ocr.raw, "is secured by")
                )
                // mentions a PDF 
                and strings.contains(.scan.ocr.raw, "PDF")
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.