• Sublime Core Feed
High Severity

Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender

Labels

BEC/Fraud
Free email provider
PDF
Social engineering
QR code
Content analysis
File analysis
QR code analysis

Description

Detects sextortion attempts leveraging breach data, including names, addresses, phone numbers and frequently using Google Maps/Bing Maps streetview images to bolster confidence and fear.

References

No references.

Sublime Security
Created Sep 12th, 2024 • Last updated Feb 3rd, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

// sender is a freemail domain
and sender.email.domain.root_domain in $free_email_providers

// attachment filename is the same as the subject
and any(attachments,
        (
          strings.ilevenshtein(strings.concat(subject.subject,
                                              ".",
                                              .file_extension
                               ),
                               .file_name
          ) <= 1
        )
        or strings.contains(.file_name, subject.subject)
)

// body contains a US address, or the body is the subject
and (
  regex.icontains(body.current_thread.text,
                  '\d+\s[\w\s.]+(?:\n)?[\w\s]+\s[A-Z]{2}\s\d{5}(?:-\d{4})?(?:\n)?|\d+\s[\w\s.]+(?:Street|St|Avenue|Ave|Boulevard|Blvd|Road|Rd|Drive|Dr|Lane|Ln|Court|Ct|Way|Place|Pl|Terrace|Ter|Circle|Cir|Parkway|Pkwy|Trail|Trl|Highway|Hwy|Loop)\b\.?',
                  // a Canadian address
                  '\d+\s[\w\s.]+(?:\n)?[\w\s]+\s((?:Ontario|ON)|(?:Quebec|QC)|(?:Nova Scotia|NS)|(?:New Brunswick|NB)|(?:Manitoba|MB)|(?:British Columbia|BC)|(?:Prince Edward Island|PEI?)|(?:Saskatchewan|SK)|(?:Alberta|AB)|(?:Newfoundland and Labrador|NL)|(?:Yukon|YT)|(?:Northwest Territories|NT)|(?:Nunavut|NU))\s*[ABCEGHJ-NPRSTVXY]\d[ABCEGHJ-NPRSTV-Z][ -]?\d[ABCEGHJ-NPRSTV-Z]\d'
  )
  or subject.subject == body.current_thread.text
)

// there's a PDF attachment with an image at a depth of one, measuring 148x148 and containing a QR code that is a BTC address
and any(attachments,
        .file_type == "pdf"
        and any(file.explode(.),
                (
                  (.depth == 1 and .flavors.mime == "image/jpeg")
                  and (
                    .scan.exiftool.image_height == 148
                    and .scan.exiftool.image_width == 148
                    and regex.match(.scan.qr.data,
                                    '(1[a-km-zA-HJ-NP-Z1-9]{25,34}|3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[qp-z0-9]{39,59})'
                    )
                  )
                )
                or (
                  any(.scan.strings.strings,
                      regex.icontains(.,
                                      'Amount(?:\s*\w+){0,3}\s*:?\s*(?:USD\s*)?(?:\$\s?\d+|\d+\s?\$?)'
                      )
                  )
                  and any(.scan.strings.strings,
                          regex.icontains(.,
                                          '(\bBITCOIN\b|\bBTC\b|\bLTC\b|Wallet)'
                          )
                  )
                )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started