Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender

Severity: high
Type: rule
Source: github.com/sublime-security/sublime-rules

Detects sextortion attempts leveraging breach data, including names, addresses, phone numbers and frequently using Google Maps/Bing Maps streetview images to bolster confidence and fear.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	BEC/Fraud
Tactics and techniques	Free email provider, PDF, Social engineering, QR code

Event coverage

Message attribute
attachments (collection)
body.current_thread
sender.email
subject
type

Rule body MQL

type.inbound

// sender is a freemail domain
and sender.email.domain.root_domain in $free_email_providers

// attachment filename is the same as the subject
and any(attachments,
        (
          strings.ilevenshtein(strings.concat(subject.subject,
                                              ".",
                                              .file_extension
                               ),
                               .file_name
          ) <= 1
        )
        or strings.contains(.file_name, subject.subject)
)

// body contains a US address, or the body is the subject
and (
  regex.icontains(body.current_thread.text,
                  '\d+\s[\w\s.]+(?:\n)?[\w\s]+\s[A-Z]{2}\s\d{5}(?:-\d{4})?(?:\n)?|\d+\s[\w\s.]+(?:Street|St|Avenue|Ave|Boulevard|Blvd|Road|Rd|Drive|Dr|Lane|Ln|Court|Ct|Way|Place|Pl|Terrace|Ter|Circle|Cir|Parkway|Pkwy|Trail|Trl|Highway|Hwy|Loop)\b\.?',
                  // a Canadian address
                  '\d+\s[\w\s.]+(?:\n)?[\w\s]+\s((?:Ontario|ON)|(?:Quebec|QC)|(?:Nova Scotia|NS)|(?:New Brunswick|NB)|(?:Manitoba|MB)|(?:British Columbia|BC)|(?:Prince Edward Island|PEI?)|(?:Saskatchewan|SK)|(?:Alberta|AB)|(?:Newfoundland and Labrador|NL)|(?:Yukon|YT)|(?:Northwest Territories|NT)|(?:Nunavut|NU))\s*[ABCEGHJ-NPRSTVXY]\d[ABCEGHJ-NPRSTV-Z][ -]?\d[ABCEGHJ-NPRSTV-Z]\d'
  )
  or subject.subject == body.current_thread.text
)

// there's a PDF attachment with an image at a depth of one, measuring 148x148 and containing a QR code that is a BTC address
and any(attachments,
        .file_type == "pdf"
        and any(file.explode(.),
                (
                  (.depth == 1 and .flavors.mime == "image/jpeg")
                  and (
                    .scan.exiftool.image_height == 148
                    and .scan.exiftool.image_width == 148
                    and regex.match(.scan.qr.data,
                                    '(1[a-km-zA-HJ-NP-Z1-9]{25,34}|3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[qp-z0-9]{39,59})'
                    )
                  )
                )
                or (
                  any(.scan.strings.strings,
                      regex.icontains(.,
                                      'Amount(?:\s*\w+){0,3}\s*:?\s*(?:USD\s*)?(?:\$\s?\d+|\d+\s?\$?)'
                      )
                  )
                  and any(.scan.strings.strings,
                          regex.icontains(.,
                                          '(\bBITCOIN\b|\bBTC\b|\bLTC\b|Wallet)'
                          )
                  )
                )
        )
)

Detection logic

Scope: inbound message.

Detects sextortion attempts leveraging breach data, including names, addresses, phone numbers and frequently using Google Maps/Bing Maps streetview images to bolster confidence and fear.

inbound message
sender.email.domain.root_domain in $free_email_providers
any of attachments where any holds:
- strings.ilevenshtein(strings.concat(subject.subject, '.', .file_extension)) ≤ 1
- strings.contains(.file_name)
any of:
- body.current_thread.text matches any of 2 patterns
  - \d+\s[\w\s.]+(?:\n)?[\w\s]+\s[A-Z]{2}\s\d{5}(?:-\d{4})?(?:\n)?|\d+\s[\w\s.]+(?:Street|St|Avenue|Ave|Boulevard|Blvd|Road|Rd|Drive|Dr|Lane|Ln|Court|Ct|Way|Place|Pl|Terrace|Ter|Circle|Cir|Parkway|Pkwy|Trail|Trl|Highway|Hwy|Loop)\b\.?
  - \d+\s[\w\s.]+(?:\n)?[\w\s]+\s((?:Ontario|ON)|(?:Quebec|QC)|(?:Nova Scotia|NS)|(?:New Brunswick|NB)|(?:Manitoba|MB)|(?:British Columbia|BC)|(?:Prince Edward Island|PEI?)|(?:Saskatchewan|SK)|(?:Alberta|AB)|(?:Newfoundland and Labrador|NL)|(?:Yukon|YT)|(?:Northwest Territories|NT)|(?:Nunavut|NU))\s*[ABCEGHJ-NPRSTVXY]\d[ABCEGHJ-NPRSTV-Z][ -]?\d[ABCEGHJ-NPRSTV-Z]\d
- subject.subject is body.current_thread.text
any of attachments where all hold:
- .file_type is 'pdf'
- any of file.explode(.) where any holds:
  - all of:
    
    all of:
    
    .depth is 1
    .flavors.mime is 'image/jpeg'
    all of:
    
    .scan.exiftool.image_height is 148
    .scan.exiftool.image_width is 148
    .scan.qr.data matches '(1[a-km-zA-HJ-NP-Z1-9]{25,34}|3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[qp-z0-9]{39,59})'
  - all of:
    
    any of .scan.strings.strings where:
    
    . matches 'Amount(?:\\s*\\w+){0,3}\\s*:?\\s*(?:USD\\s*)?(?:\\$\\s?\\d+|\\d+\\s?\\$?)'
    any of .scan.strings.strings where:
    
    . matches '(\\bBITCOIN\\b|\\bBTC\\b|\\bLTC\\b|Wallet)'

Inspects: attachments[].file_extension, attachments[].file_name, attachments[].file_type, body.current_thread.text, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: file.explode, regex.icontains, regex.match, strings.concat, strings.contains, strings.ilevenshtein. Reference lists: $free_email_providers.

Indicators matched (7)

Field	Match	Value
`regex.icontains`	regex	`\d+\s[\w\s.]+(?:\n)?[\w\s]+\s[A-Z]{2}\s\d{5}(?:-\d{4})?(?:\n)?\|\d+\s[\w\s.]+(?:Street\|St\|Avenue\|Ave\|Boulevard\|Blvd\|Road\|Rd\|Drive\|Dr\|Lane\|Ln\|Court\|Ct\|Way\|Place\|Pl\|Terrace\|Ter\|Circle\|Cir\|Parkway\|Pkwy\|Trail\|Trl\|Highway\|Hwy\|Loop)\b\.?`
`regex.icontains`	regex	`\d+\s[\w\s.]+(?:\n)?[\w\s]+\s((?:Ontario\|ON)\|(?:Quebec\|QC)\|(?:Nova Scotia\|NS)\|(?:New Brunswick\|NB)\|(?:Manitoba\|MB)\|(?:British Columbia\|BC)\|(?:Prince Edward Island\|PEI?)\|(?:Saskatchewan\|SK)\|(?:Alberta\|AB)\|(?:Newfoundland and Labrador\|NL)\|(?:Yukon\|YT)\|(?:Northwest Territories\|NT)\|(?:Nunavut\|NU))\s*[ABCEGHJ-NPRSTVXY]\d[ABCEGHJ-NPRSTV-Z][ -]?\d[ABCEGHJ-NPRSTV-Z]\d`
`attachments[].file_type`	equals	`pdf`
`file.explode(attachments[])[].flavors.mime`	equals	`image/jpeg`
`regex.match`	regex	`(1[a-km-zA-HJ-NP-Z1-9]{25,34}\|3[a-km-zA-HJ-NP-Z1-9]{25,34}\|bc1[qp-z0-9]{39,59})`
`regex.icontains`	regex	`Amount(?:\s\w+){0,3}\s:?\s(?:USD\s)?(?:\$\s?\d+\|\d+\s?\$?)`
`regex.icontains`	regex	`(\bBITCOIN\b\|\bBTC\b\|\bLTC\b\|Wallet)`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)