Update attachment_encrypted_pdf_cred_theft.yml (#3087)

peterdj45 · zoomequipd · web-flow · commit ca4a7a0d16bd · 2025-08-18T13:03:40.000Z
Co-authored-by: Brandon Murphy &lt;4827852+zoomequipd@users.noreply.github.com&gt;
diff --git a/detection-rules/attachment_encrypted_pdf_cred_theft.yml b/detection-rules/attachment_encrypted_pdf_cred_theft.yml
@@ -23,6 +23,25 @@ source: |
     or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
            .name == "cred_theft" and .confidence in ("medium", "high")
     )
+    or (
+      (
+        regex.icontains(body.current_thread.text,
+                        'PDF\s*(?:Access|Unlock|Decrypt)\s*(?:Pass)?code'
+        )
+        or ( 
+          (
+            length(body.current_thread.text) <= 10
+            or (body.current_thread.text is null)
+          )
+          and any(body.previous_threads,
+                  regex.icontains(.text,
+                                  'PDF\s*(?:Access|Unlock|Decrypt)\s*(?:Pass)?code'
+
+                  )
+          )
+        )
+      )
+    )
   )
   and (
     (
