Detection rules › Sublime MQL
Self-sent fake PDF attachment with misleading link
Detects messages sent from a user to themselves containing a fake PDF icon from Google's CDN, claiming to have an attachment while only containing images, and including links that appear to be PDF files.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion, Free subdomain host, Social engineering |
Event coverage
Rule body MQL
type.inbound
// pdf image
and strings.contains(body.html.raw,
'https://ci3.googleusercontent.com/meips/ADKq_Naq6rm1GwC4XYZepCUQtEMnJ-r-HjyX_C5lBU7lpxQk1OIDV7vvQYvSJQWYmQCzG8moTgX3Wak625OtyHWRinVeUJs7K710JiIZ4JNXVpTmC8PJjV4K34GsBA=s0-d-e1-ft#https://res-1.cdn.office.net/assets/mail/file-icon/png/pdf_16x16.png'
)
// mentions attachments but there are none or just images with no pdfs
and strings.starts_with(body.current_thread.text, 'Please see attached.')
and all(attachments, .file_type in $file_types_images)
// self sender
and (
length(recipients.to) == 1
and sender.email.email == recipients.to[0].email.email
)
// display text ends with .pdf
and any(body.current_thread.links,
strings.ends_with(.display_text, '.pdf')
and .href_url.domain.subdomain is not null
and .visible
and not (
.href_url.domain.root_domain == "googleusercontent.com"
and strings.istarts_with(.href_url.path, "/mail-sig")
)
)
Detection logic
Scope: inbound message.
Detects messages sent from a user to themselves containing a fake PDF icon from Google's CDN, claiming to have an attachment while only containing images, and including links that appear to be PDF files.
- inbound message
- body.html.raw contains 'https://ci3.googleusercontent.com/meips/ADKq_Naq6rm1GwC4XYZepCUQtEMnJ-r-HjyX_C5lBU7lpxQk1OIDV7vvQYvSJQWYmQCzG8moTgX3Wak625OtyHWRinVeUJs7K710JiIZ4JNXVpTmC8PJjV4K34GsBA=s0-d-e1-ft#https://res-1.cdn.office.net/assets/mail/file-icon/png/pdf_16x16.png'
- body.current_thread.text starts with 'Please see attached.'
all of
attachmentswhere:- .file_type in $file_types_images
all of:
- length(recipients.to) is 1
- sender.email.email is recipients.to[0].email.email
any of
body.current_thread.linkswhere all hold:- .display_text ends with '.pdf'
- .href_url.domain.subdomain is set
- .visible
not:
all of:
- .href_url.domain.root_domain is 'googleusercontent.com'
- .href_url.path starts with '/mail-sig'
Inspects: attachments[].file_type, body.current_thread.links, body.current_thread.links[].display_text, body.current_thread.links[].href_url.domain.root_domain, body.current_thread.links[].href_url.domain.subdomain, body.current_thread.links[].href_url.path, body.current_thread.links[].visible, body.current_thread.text, body.html.raw, recipients.to, recipients.to[0].email.email, sender.email.email, type.inbound. Sensors: strings.contains, strings.ends_with, strings.istarts_with, strings.starts_with. Reference lists: $file_types_images.
Indicators matched (5)
| Field | Match | Value |
|---|---|---|
strings.contains | substring | https://ci3.googleusercontent.com/meips/ADKq_Naq6rm1GwC4XYZepCUQtEMnJ-r-HjyX_C5lBU7lpxQk1OIDV7vvQYvSJQWYmQCzG8moTgX3Wak625OtyHWRinVeUJs7K710JiIZ4JNXVpTmC8PJjV4K34GsBA=s0-d-e1-ft#https://res-1.cdn.office.net/assets/mail/file-icon/png/pdf_16x16.png |
strings.starts_with | prefix | Please see attached. |
strings.ends_with | suffix | .pdf |
body.current_thread.links[].href_url.domain.root_domain | equals | googleusercontent.com |
strings.istarts_with | prefix | /mail-sig |