[PR #3661] added rule: Attachment: PDF with banking and payment references from freemail sender

Author: github-actions[bot]

detection-rules/3661_attachment_pdf_file_banking_payment_from_freemail.yml

@@ -0,0 +1,37 @@
+name: "Attachment: PDF with banking and payment references from freemail sender"
+description: "Detects PDF attachments containing banking terminology such as SWIFT codes, account numbers, and payment references from free email providers. These attachments often contain fraudulent payment instructions or fake banking documents used in business email compromise attacks."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and sender.email.domain.root_domain in $free_email_providers
+  and length(attachments) == 1
+  and any(filter(attachments,
+          .file_extension == "pdf"),
+          any(file.explode(.),
+                  .depth == 1
+                  and (
+                    regex.icontains(.scan.ocr.raw, "payment")
+                    or regex.contains(.scan.ocr.raw, "SWIFT")
+                    or regex.contains(.scan.ocr.raw, "Swift Copy")
+                    or regex.icontains(.scan.ocr.raw, "bank code:")
+                    or regex.icontains(.scan.ocr.raw, "account number:")
+                    or regex.icontains(.scan.ocr.raw, "payment")
+                  )
+          )
+  )
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Free email provider"
+  - "PDF"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "054acfa2-ba42-54d0-ba6e-ce562db7fd56"
+og_id: "3d46be24-a640-515d-bae9-480effa2b5c8"
+testing_pr: 3661
+testing_sha: e657dc85cfd6495043c7aae1e45046e22bef375e