Detection rules › Sublime MQL
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware |
| Tactics and techniques | Evasion, PDF |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| body.current_thread |
| type |
Rule body MQL
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
regex.contains(.url, '\.(?:zip)')
and .domain.root_domain not in $tranco_1m
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Detection logic
Scope: inbound message.
Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
- inbound message
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere:- .name is 'request'
any of
attachmentswhere all hold:- .file_extension is 'pdf'
any of
file.explode(.)where:any of
.scan.pdf.urlswhere all hold:- .url matches '\\.(?:zip)'
- .domain.root_domain not in $tranco_1m
any of:
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].file_extension, body.current_thread.text, type.inbound. Sensors: file.explode, ml.nlu_classifier, profile.by_sender, regex.contains. Reference lists: $tranco_1m.
Indicators matched (3)
| Field | Match | Value |
|---|---|---|
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | request |
attachments[].file_extension | equals | pdf |
regex.contains | regex | \.(?:zip) |