Create attachment_pdf_w9_invoice_lure.yml (#3890)

Co-authored-by: CI Bot <hello@sublimesecurity.com>

Author: keaton-sublime

detection-rules/attachment_pdf_w9_invoice_lure.yml

@@ -0,0 +1,21 @@
+name: "Attachment: PDF contains W9 or invoice YARA signatures"
+description: "PDF attachment contains YARA signatures commonly associated with fraudulent W9 tax forms or invoice documents, which are frequently used in social engineering attacks to steal sensitive information or facilitate business email compromise."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_type == "pdf"),
+          any(file.explode(.),
+              any(.scan.yara.matches, .name in ("w9_pdf_01", "invoice_pdf_01"))
+          )
+  )
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "PDF"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "YARA"
+id: "9a8e8a98-34a6-5cdc-b151-d4eff3322f23"