Detection rules › Sublime MQL
Suspicious attachment: Duplicate decoy PDF files
This rule identifies messages that contain duplicate PDF attachments, defined as either having identical filenames or matching MD5 hash values. Furthermore, the PDF files in question must lack any readable text and must not include hyperlinks.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion, PDF |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| body |
| type |
Rule body MQL
type.inbound
and length(attachments) > 1
and all(attachments, .file_type == "pdf")
and (
length(distinct(attachments, .file_name)) == 1
or length(distinct(attachments, .md5)) == 1
)
and all(attachments,
.file_type == "pdf"
and all(file.explode(.),
(
length(.scan.url.urls) == 0
or length(.scan.pdf.urls) == 0
or length(body.links) == 0
)
and .scan.ocr.raw is null
)
)
Detection logic
Scope: inbound message.
This rule identifies messages that contain duplicate PDF attachments, defined as either having identical filenames or matching MD5 hash values. Furthermore, the PDF files in question must lack any readable text and must not include hyperlinks.
- inbound message
- length(attachments) > 1
all of
attachmentswhere:- .file_type is 'pdf'
any of:
- length(distinct(attachments, .file_name)) is 1
- length(distinct(attachments, .md5)) is 1
all of
attachmentswhere all hold:- .file_type is 'pdf'
all of
file.explode(.)where all hold:any of:
- length(.scan.url.urls) is 0
- length(.scan.pdf.urls) is 0
- length(body.links) is 0
- .scan.ocr.raw is missing
Inspects: attachments[].file_name, attachments[].file_type, attachments[].md5, body.links, type.inbound. Sensors: file.explode.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | pdf |