• Sublime Core Feed
Medium Severity

Suspicious Attachment: Duplicate decoy PDF files

Labels

Credential Phishing
Evasion
PDF
File analysis
Optical Character Recognition

Description

This rule identifies messages that contain duplicate PDF attachments, defined as either having identical filenames or matching MD5 hash values. Furthermore, the PDF files in question must lack any readable text and must not include hyperlinks.

References

No references.

Sublime Security
Created Aug 2nd, 2024 • Last updated Mar 18th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(attachments) > 1
and all(attachments, .file_type == "pdf")
and (
  length(distinct(attachments, .file_name)) == 1
  or length(distinct(attachments, .md5)) == 1
)
and all(attachments,
        .file_type == "pdf"
        and all(file.explode(.),
                (
                  length(.scan.url.urls) == 0
                  or length(.scan.pdf.urls) == 0
                  or length(body.links) == 0
                )
                and .scan.ocr.raw is null
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started