Detection rules › Sublime MQL
Attachment: PDF with recipient email in link
Detects PDF attachments that contain the recipient's domain in the filename and include a link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | PDF, QR code, Encryption, Social engineering |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| recipients |
| recipients.to (collection) |
| type |
Rule body MQL
type.inbound
// one or more PDF documents
and length(filter(attachments, .file_type == "pdf")) >= 1
and length(attachments) <= 4
// a single recipient (this is in the link so there can be only one)
and length(recipients.to) == 1
and all(recipients.to, .email.domain.valid)
and any(filter(attachments, .file_type == "pdf"),
(
// the urls in the PDF
any(filter(file.explode(.), .depth == 0),
// remove links we are not interested in
any(filter(.scan.pdf.urls,
// remove mailto: links
not strings.istarts_with(.url, 'mailto:')
and not strings.istarts_with(.url, 'email:')
// remove links found in exiftool output
and not (
..scan.exiftool.producer is not null
and strings.icontains(..scan.exiftool.producer,
.domain.domain
)
)
// remove links found in exiftool output
and not (
..scan.exiftool.creator is not null
and strings.icontains(..scan.exiftool.creator,
.domain.domain
)
)
// legitimate domains that exhibits this behavior
and .domain.root_domain not in (
"univarsolutions.com",
"westpac.com.au",
"safeshiphub.com",
"sharepoint.com"
)
),
// it contains the email address of the recipient
any(recipients.to,
.email.domain.valid
and (
strings.icontains(..url, .email.email)
// or the base64 encoded email
or any(beta.scan_base64(..url,
format="url",
ignore_padding=true
),
strings.icontains(., ..email.email)
)
)
)
)
)
// or there is a QR code
or (
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
any(beta.scan_qr(.).items,
.url.domain.valid
and any(recipients.to,
// QR code contains the email
(
strings.icontains(..url.url, .email.email)
// QR code contains the base64 endcoded email
or any(strings.scan_base64(..url.url,
format="url",
ignore_padding=true
),
strings.icontains(., ..email.email)
)
)
)
)
)
)
)
Detection logic
Scope: inbound message.
Detects PDF attachments that contain the recipient's domain in the filename and include a link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.
- inbound message
- length(filter(attachments, .file_type == 'pdf')) ≥ 1
- length(attachments) ≤ 4
- length(recipients.to) is 1
all of
recipients.towhere:- .email.domain.valid
any of
filter(attachments)where any holds:any of
filter(...)where:any of
filter(.scan.pdf.urls)where:any of
recipients.towhere all hold:- .email.domain.valid
any of:
- strings.icontains(.url)
any of
beta.scan_base64(.url)where:- strings.icontains(.)
any of
beta.scan_qr(.).itemswhere all hold:- .url.domain.valid
any of
recipients.towhere any holds:- strings.icontains(.url.url)
any of
strings.scan_base64(.url.url)where:- strings.icontains(.)
Inspects: attachments[].file_type, recipients.to, recipients.to[].email.domain.valid, recipients.to[].email.email, type.inbound. Sensors: beta.scan_base64, beta.scan_qr, file.explode, strings.icontains, strings.istarts_with, strings.scan_base64.
Indicators matched (7)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | pdf |
strings.istarts_with | prefix | mailto: |
strings.istarts_with | prefix | email: |
filter(...)[].scan.pdf.urls[].domain.root_domain | member | univarsolutions.com |
filter(...)[].scan.pdf.urls[].domain.root_domain | member | westpac.com.au |
filter(...)[].scan.pdf.urls[].domain.root_domain | member | safeshiphub.com |
filter(...)[].scan.pdf.urls[].domain.root_domain | member | sharepoint.com |