[PR sublime-security#3661] added rule: PR# 3661 - Attachment: PDF with banking and payment references from freemail sender

github-actions[bot] · github-actions[bot] · commit df5381484264 · 2026-01-16T19:09:01.000Z
diff --git a/detection-rules/3661_attachment_pdf_file_banking_payment_from_freemail.yml b/detection-rules/3661_attachment_pdf_file_banking_payment_from_freemail.yml
@@ -0,0 +1,80 @@
+name: "PR# 3661 - Attachment: PDF with banking and payment references from freemail sender"
+description: "Detects PDF attachments containing banking terminology such as SWIFT codes, account numbers, and payment references from free email providers. These attachments often contain fraudulent payment instructions or fake banking documents used in business email compromise attacks."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // Has attachment
+  and 0 < length(attachments) < 3
+  // Short message (BEC pattern)
+  and length(body.current_thread.text) < 200
+  // pdf with these keywords
+  and any(filter(attachments, .file_extension == "pdf"),
+          any(file.explode(.),
+              .depth == 1
+              and (
+                regex.icontains(.scan.ocr.raw,
+                                'swift(?: copy)?',
+                                "bank code:",
+                                "account number:",
+                                "payment"
+                )
+              )
+          )
+  )
+  // Display name or local_part suggests executive/authority
+  and (
+    // Common executive titles
+    regex.icontains(sender.display_name,
+                    // CEO, CFO, COO, President, Chairman, Director, VP, EVP, SVP
+                    '\b((?:C(?:hairman|[EFO]O)|President|Director|[ES]?VP))\b'
+    )
+    // Or looks like: firstname.lastname.company@freemail
+    or (
+      regex.count(sender.email.local_part, '\.') == 2
+      and regex.contains(sender.email.local_part, '\.([a-z]{2,})\.')
+    )
+    // or any defined org brands like: first.last.sublime@freemail
+    or any($org_slds, strings.icontains(sender.email.local_part, .))
+    or any($org_brand_names, strings.icontains(sender.email.local_part, .))
+    // Or contains common company abbreviations
+    or regex.icontains(sender.email.local_part, '\.(?:inc|corp|ltd|llc|co)$')
+  )
+  
+  // Financial/transaction language
+  and (
+    regex.icontains(body.current_thread.text,
+                    '(?:transaction|lawyer|wire|transfer|bank.{0,20}account)'
+    )
+    or any(ml.nlu_classifier(body.current_thread.text).topics,
+           .name == "Legal and Compliance" and .confidence == "high"
+    )
+  )
+  
+  // Urgency indicators
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
+    or regex.icontains(body.current_thread.text,
+                       '(?:urgent|asap|immediately|today|by.*(?:friday|weekend|eod|end of day))'
+    )
+  )
+  
+  // Free email provider
+  and sender.email.domain.root_domain in $free_email_providers
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Free email provider"
+  - "PDF"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "054acfa2-ba42-54d0-ba6e-ce562db7fd56"
+tags:
+  - created_from_open_prs
+  - rule_status_added
+  - pr_author_MSAdministrator
+references:
+  - https://github.com/sublime-security/sublime-rules/pull/3661
