Skip to content

Create attachment_embedded_pdf_icon.yml #3994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
keaton-sublime wants to merge 4 commits into
base: main
Choose a base branch
from
+20 −0
Draft

Create attachment_embedded_pdf_icon.yml #3994

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b0857ae
Create attachment_embedded_pdf_icon.yml
keaton-sublime Feb 10, 2026
61a210c
Auto-format MQL and add rule IDs
Feb 10, 2026
0697035
Update attachment_embedded_pdf_icon.yml
keaton-sublime Feb 11, 2026
84d6cd0
Auto-format MQL and add rule IDs
Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions detection-rules/attachment_embedded_pdf_icon.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: "Attachment: Embedded PDF icon with inline image reference"
description: "Detects messages containing HTML with PDF icons that reference inline images using Content-ID (CID) patterns, commonly used to create misleading PDF attachment appearances without actual PDF files."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(html.xpath(body.html, '//img').nodes) == 1
and any(html.xpath(body.html, '//img[@alt="PDF"]').nodes,
regex.contains(.raw, 'src="cid:image[0-9]{3}\.png@')
)
attack_types:
- "Credential Phishing"
- "BEC/Fraud"
tactics_and_techniques:
- "Evasion"
- "Image as content"
detection_methods:
- "HTML analysis"
- "Content analysis"
id: "118751f2-9ce2-5a04-9c7d-d42c32d504fb"