You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
name: "Attachment: PDF with recipient email in link"
2
+
description: "Detects PDF attachments that contain the recipient's domain in the filename and include a single link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code."
3
+
type: "rule"
4
+
severity: "high"
5
+
source: |
6
+
type.inbound
7
+
// a single recipient (this is in the link so there can be only one)
8
+
and length(recipients.to) == 1
9
+
and all(recipients.to, .email.domain.valid)
10
+
// a single PDF attachment
11
+
and length(filter(attachments, .file_type == "pdf")) == 1
12
+
// in the PDF attachment
13
+
and any(attachments,
14
+
.file_type == "pdf"
15
+
and all(recipients.to,
16
+
strings.icontains(..file_name, .email.domain.sld)
17
+
// now file.explode the attachment and look for the eamil address in links
18
+
and any(file.explode(..),
19
+
// there is only a single link
20
+
length(
21
+
filter(.scan.url.urls,
22
+
not strings.icontains(.url, 'mailto')
23
+
)
24
+
) == 1
25
+
// that link contains the email address
26
+
and (
27
+
any(
28
+
// filter out mailto links
29
+
filter(.scan.url.urls,
30
+
not strings.icontains(.url, 'mailto')
31
+
),
32
+
// in the URL
33
+
strings.icontains(.url, ...email.email)
34
+
or any(beta.scan_base64(.url,
35
+
format="url",
36
+
ignore_padding=true
37
+
),
38
+
strings.icontains(., ..url)
39
+
)
40
+
)
41
+
// or in a QR code
42
+
or strings.icontains(.scan.qr.url.url, ..email.email)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments