Create link_pdf_sender_domain_name.yml

markmsublime · web-flow · commit 689183cdb275 · 2026-02-02T18:01:47.000-05:00
diff --git a/detection-rules/link_pdf_sender_domain_name.yml b/detection-rules/link_pdf_sender_domain_name.yml
@@ -0,0 +1,60 @@
+name: "Link: PDF filename impersonation with credential theft language"
+description: "Detects messages where the link display text mimics a PDF filename containing the sender's domain name, combined with credential theft language or suspicious requests. The message is sent to an invalid recipient address or to the sender themselves, indicating potential abuse of email infrastructure."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    // extract the first body link and compare to the sender's sld, look for less than 4 levenshtein distances or the exact match on the sld in URL ending in .pdf 
+    any(regex.iextract(body.current_thread.links[0].display_text,
+                       '(?P<starter>.*)\b\d+\.pdf$'
+        ),
+        strings.ilevenshtein(.named_groups["starter"], sender.email.domain.sld) <= 4
+    )
+    or (
+      strings.istarts_with(body.current_thread.links[0].display_text,
+                           sender.email.domain.sld
+      )
+      and regex.icontains(body.current_thread.links[0].display_text,
+                          '\b\d+\.pdf$'
+      )
+    )
+  )
+  // cred theft intent or other request language 
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "cred_theft" and .confidence != "low"
+    )
+    or any(filter(ml.nlu_classifier(body.current_thread.text).entities,
+                  .name == "request"
+           ),
+           regex.icontains(.text, 'please (?:see|find|click|(?:re)?view)')
+    )
+  )
+  // self sender pattern or sum of recipients is zero 
+  and (
+    length(recipients.to) <= 1
+    and (
+      sender.email.email == recipients.to[0].email.email
+      or recipients.to[0].email.domain.valid == false
+      or sum([
+               length(recipients.to),
+               length(recipients.cc),
+               length(recipients.bcc)
+             ]
+      ) == 0
+    )
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+  - "PDF"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "Header analysis"
+  - "Sender analysis"
+  - "URL analysis"
