Medium Severity

Link: Self-sent PDF lure with subject correlation

Labels

BEC/Fraud
Credential Phishing
Social engineering
Evasion
Header analysis
HTML analysis
Sender analysis
Content analysis

Description

Detects messages sent from a user to themselves containing bold PDF links where the link text correlates with the subject line or sender domain, potentially indicating a compromised account or social engineering technique.

References

No references.

Sublime Security
Created Jun 4th, 2026 • Last updated Jun 4th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// self sender
and (
  length(recipients.to) == 1
  and recipients.to[0].email.email == sender.email.email
)
// bold a tags ending in PDF
and any(html.xpath(body.html, '//a[./b]').nodes,
        strings.iends_with(.display_text, ".pdf")
        and (
          // subject appears as the .pdf link
          any(regex.extract(subject.base, '(?P<word>\w+)'),
              strings.contains(..display_text, .named_groups["word"])
          )
          // OR sender domain appears as the pdf link
          or strings.icontains(.display_text, sender.email.domain.sld)
        )
        // we should NOT match urls
        and strings.parse_url(.display_text, strict=false).url is null
        and not any(.links, strings.iends_with(.href_url.path, '.pdf'))
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started