Detection rules › Sublime MQL
Attachment: PDF with a suspicious string and single URL
Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | PDF, Social engineering, Evasion |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| type |
Rule body MQL
type.inbound
and any(attachments,
.file_type == "pdf"
// a single page pdf
and beta.parse_exif(.).page_count == 1
and any(file.explode(.),
// the pdf contains specific suspicious wording
// these are exact matches when split on new lines extracted from the text of the PDF from the scanPDF scanner
any(.scan.strings.strings,
regex.icontains(.,
// action!
'^\s*(?:view documents?|view pdf|view presentation|preview new docusign|Download Secure PDF|VIEW DOCUMENT HERE|ACCESS DOCUMENT|REVIEW NEW SECURE DOCUMENT|OPEN SECURE VIEWER|DOWNLOAD RFP DOCUMENT|View Dashboard here|ACCESS SECURE DOCUMENTS|VIEW PROPOSAL DOCUMENTS|ACCESS / VIEW PROPOSAL DOCUMENT|Review & Sign Document|Open PDF|Access Document\(s\)|(?:P?RE)?VIEW SHARED DOCUMENT|New Secured Document|ACCESS SECURE RFP PORTAL|Please Review and Sign|Review and Validate|SECURE DOCUMENT|Open Document|View Details|Q!_Compensation/Salary Amendments\.pptx|PREVIEW DOCUMENT HERE|Download Tax Details Below:|Review and Sign Document|Review Document|Open Encrypted|OPEN DOCUMENT HERE|Click to read message|CLICK HERE TO VIEW DOCUMENTS|VIEW FULL DOCUMENT HERE)\s*$',
// "secure fax"
'View Secure Fax',
// more fake errors
'It seems there was an issue opening the document. Please view it online.',
// fake adobe update
'Update Adobe Viewer',
// fake sharepoint wording
'Learn more about messages protected by Microsoft',
// fake encryption crap
'This document is protected by 256-bit encryption.',
// sent you a document
'.*sent you a \S+ to review(?:\s*(?:and|&)\s*sign)$',
'^You received a \S+ to review and sign$',
// docusign
'\s*DocuSign Contract Under Review\s*',
'DOCUMENT PREVIEW',
'PREVIEW DOCUMENT',
'VIEW REMITTANCE COPY HERE',
'shared a file with you',
'check your personal forecast',
)
)
// fake error messages
or (
'Error' in~ .scan.strings.strings
and any(.scan.strings.strings,
regex.icontains(., '^\s*(?:View Video)\s*$')
)
)
// really terse PDF with link
or (
length(.scan.strings.strings) == 1
and 'Some additional information here' in~ .scan.strings.strings
)
)
and any(file.explode(.),
.depth == 0
and (
length(filter(.scan.url.urls,
// remove mailto: links
not strings.istarts_with(.url, 'mailto:')
and not strings.istarts_with(.url, 'email:')
// remove links found in exiftool output producer/creator
and not any([
..scan.exiftool.producer,
..scan.exiftool.creator
],
. is not null
and strings.icontains(.,
..domain.domain
)
)
and not .domain.root_domain in ('pdf-tools.com')
and not .url in (
'https://gamma.app/?utm_source=made-with-gamma'
)
)
) == 1
or
// there is only one unique domain
(
length(distinct(filter(.scan.url.urls,
// remove mailto: links
not strings.istarts_with(.url,
'mailto:'
)
and not strings.istarts_with(.url,
'email:'
)
// remove links found in exiftool output producer/creator
and not any([
..scan.exiftool.producer,
..scan.exiftool.creator
],
. is not null
and strings.icontains(.,
..domain.domain
)
)
and not .domain.root_domain in (
'pdf-tools.com'
)
and not .url in (
'https://gamma.app/?utm_source=made-with-gamma'
)
),
.domain.domain
)
) == 1
// all of them are in self_service
and all(distinct(filter(.scan.url.urls,
// remove mailto: links
not strings.istarts_with(.url,
'mailto:'
)
and not strings.istarts_with(.url,
'email:'
)
// remove links found in exiftool output producer/creator
and not any([
..scan.exiftool.producer,
..scan.exiftool.creator
],
. is not null
and strings.icontains(.,
..domain.domain
)
)
and not .domain.root_domain in (
'pdf-tools.com'
)
and not .url in (
'https://gamma.app/?utm_source=made-with-gamma'
)
),
.domain.domain
),
.domain.domain in $self_service_creation_platform_domains
or .domain.root_domain in $self_service_creation_platform_domains
)
)
)
)
)
Detection logic
Scope: inbound message.
Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks.
- inbound message
any of
attachmentswhere all hold:- .file_type is 'pdf'
- beta.parse_exif(.).page_count is 1
any of
file.explode(.)where any holds:any of
.scan.strings.stringswhere:. matches any of 14 patterns
^\s*(?:view documents?|view pdf|view presentation|preview new docusign|Download Secure PDF|VIEW DOCUMENT HERE|ACCESS DOCUMENT|REVIEW NEW SECURE DOCUMENT|OPEN SECURE VIEWER|DOWNLOAD RFP DOCUMENT|View Dashboard here|ACCESS SECURE DOCUMENTS|VIEW PROPOSAL DOCUMENTS|ACCESS / VIEW PROPOSAL DOCUMENT|Review & Sign Document|Open PDF|Access Document\(s\)|(?:P?RE)?VIEW SHARED DOCUMENT|New Secured Document|ACCESS SECURE RFP PORTAL|Please Review and Sign|Review and Validate|SECURE DOCUMENT|Open Document|View Details|Q!_Compensation/Salary Amendments\.pptx|PREVIEW DOCUMENT HERE|Download Tax Details Below:|Review and Sign Document|Review Document|Open Encrypted|OPEN DOCUMENT HERE|Click to read message|CLICK HERE TO VIEW DOCUMENTS|VIEW FULL DOCUMENT HERE)\s*$View Secure FaxIt seems there was an issue opening the document. Please view it online.Update Adobe ViewerLearn more about messages protected by MicrosoftThis document is protected by 256-bit encryption..*sent you a \S+ to review(?:\s*(?:and|&)\s*sign)$^You received a \S+ to review and sign$\s*DocuSign Contract Under Review\s*DOCUMENT PREVIEWPREVIEW DOCUMENTVIEW REMITTANCE COPY HEREshared a file with youcheck your personal forecast
all of:
- .scan.strings.strings contains 'Error'
any of
.scan.strings.stringswhere:- . matches '^\\s*(?:View Video)\\s*$'
all of:
- length(.scan.strings.strings) is 1
- .scan.strings.strings contains 'Some additional information here'
any of
file.explode(.)where all hold:- .depth is 0
any of:
- length(filter(.scan.url.urls, not strings.istarts_with(.url, 'mailto:') and not strings.istarts_with(.url, 'email:') and not any([.scan.exiftool.producer, .scan.exiftool.creator], . is not null and strings.icontains(., .domain.domain)) and not .domain.root_domain in ('pdf-tools.com') and not .url in ('https://gamma.app/?utm_source=made-with-gamma'))) is 1
all of:
- length(distinct(filter(.scan.url.urls, not strings.istarts_with(.url, 'mailto:') and not strings.istarts_with(.url, 'email:') and not any([.scan.exiftool.producer, .scan.exiftool.creator], . is not null and strings.icontains(., .domain.domain)) and not .domain.root_domain in ('pdf-tools.com') and not .url in ('https://gamma.app/?utm_source=made-with-gamma')), .domain.domain)) is 1
all of
distinct(...)where any holds:- .domain.domain in $self_service_creation_platform_domains
- .domain.root_domain in $self_service_creation_platform_domains
Inspects: attachments[].file_type, type.inbound. Sensors: beta.parse_exif, file.explode, regex.icontains, strings.icontains, strings.istarts_with. Reference lists: $self_service_creation_platform_domains.
Indicators matched (22)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | pdf |
regex.icontains | regex | ^\s*(?:view documents?|view pdf|view presentation|preview new docusign|Download Secure PDF|VIEW DOCUMENT HERE|ACCESS DOCUMENT|REVIEW NEW SECURE DOCUMENT|OPEN SECURE VIEWER|DOWNLOAD RFP DOCUMENT|View Dashboard here|ACCESS SECURE DOCUMENTS|VIEW PROPOSAL DOCUMENTS|ACCESS / VIEW PROPOSAL DOCUMENT|Review & Sign Document|Open PDF|Access Document\(s\)|(?:P?RE)?VIEW SHARED DOCUMENT|New Secured Document|ACCESS SECURE RFP PORTAL|Please Review and Sign|Review and Validate|SECURE DOCUMENT|Open Document|View Details|Q!_Compensation/Salary Amendments\.pptx|PREVIEW DOCUMENT HERE|Download Tax Details Below:|Review and Sign Document|Review Document|Open Encrypted|OPEN DOCUMENT HERE|Click to read message|CLICK HERE TO VIEW DOCUMENTS|VIEW FULL DOCUMENT HERE)\s*$ |
regex.icontains | regex | View Secure Fax |
regex.icontains | regex | It seems there was an issue opening the document. Please view it online. |
regex.icontains | regex | Update Adobe Viewer |
regex.icontains | regex | Learn more about messages protected by Microsoft |
regex.icontains | regex | This document is protected by 256-bit encryption. |
regex.icontains | regex | .*sent you a \S+ to review(?:\s*(?:and|&)\s*sign)$ |
regex.icontains | regex | ^You received a \S+ to review and sign$ |
regex.icontains | regex | \s*DocuSign Contract Under Review\s* |
regex.icontains | regex | DOCUMENT PREVIEW |
regex.icontains | regex | PREVIEW DOCUMENT |
10 more
regex.icontains | regex | VIEW REMITTANCE COPY HERE |
regex.icontains | regex | shared a file with you |
regex.icontains | regex | check your personal forecast |
file.explode(attachments[])[].scan.strings.strings | contains | Error |
regex.icontains | regex | ^\s*(?:View Video)\s*$ |
file.explode(attachments[])[].scan.strings.strings | contains | Some additional information here |
strings.istarts_with | prefix | mailto: |
strings.istarts_with | prefix | email: |
file.explode(attachments[])[].scan.url.urls[].domain.root_domain | member | pdf-tools.com |
file.explode(attachments[])[].scan.url.urls[].url | member | https://gamma.app/?utm_source=made-with-gamma |