From 04e38cca5f112610aa9ce6bbe9bed167255a8933 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Fri, 1 Aug 2025 15:55:22 -0500
Subject: [PATCH 1/3] Create attachment_pdf_recip_email_in_link.yml

---
 .../attachment_pdf_recip_email_in_link.yml    | 65 +++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 detection-rules/attachment_pdf_recip_email_in_link.yml

diff --git a/detection-rules/attachment_pdf_recip_email_in_link.yml b/detection-rules/attachment_pdf_recip_email_in_link.yml
new file mode 100644
index 00000000000..f29649b7641
--- /dev/null
+++ b/detection-rules/attachment_pdf_recip_email_in_link.yml
@@ -0,0 +1,65 @@
+name: "Attachment: PDF with recipient email in link"
+description: "Detects PDF attachments that contain the recipient's domain in the filename and include a single link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  // a single recipient (this is in the link so there can be only one)
+  and length(recipients.to) == 1
+  and all(recipients.to, .email.domain.valid)
+  // a single PDF attachment
+  and length(filter(attachments, .file_type == "pdf")) == 1
+  // in the PDF attachment
+  and any(attachments,
+          .file_type == "pdf"
+          and all(recipients.to,
+                  strings.icontains(..file_name, .email.domain.sld)
+                  // now file.explode the attachment and look for the eamil address in links
+                  and any(file.explode(..),
+                          // there is only a single link
+                          length(
+                                 filter(.scan.url.urls,
+                                        not strings.icontains(.url, 'mailto')
+                                 )
+                          ) == 1
+                          // that link contains the email address
+                          and (
+                            any(
+                                // filter out mailto links
+                                filter(.scan.url.urls,
+                                       not strings.icontains(.url, 'mailto')
+                                ),
+                                // in the URL
+                                strings.icontains(.url, ...email.email)
+                                or any(beta.scan_base64(.url,
+                                                        format="url",
+                                                        ignore_padding=true
+                                       ),
+                                       strings.icontains(., ..url)
+                                )
+                            )
+                            // or in a QR code
+                            or strings.icontains(.scan.qr.url.url, ..email.email)
+                            or any(beta.scan_base64(.scan.qr.url.url,
+                                                    format="url",
+                                                    ignore_padding=true
+                                   ),
+                                   strings.icontains(., ...email.email)
+                            )
+                          )
+                  )
+          )
+  )
+  
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "PDF"
+  - "QR code"
+  - "Encryption"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "QR code analysis"
+  - "URL analysis"

From 33cb4b2f349cc1015d87c89830a7eb5a52781731 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Fri, 1 Aug 2025 20:57:16 +0000
Subject: [PATCH 2/3] Auto add rule ID

---
 detection-rules/attachment_pdf_recip_email_in_link.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/attachment_pdf_recip_email_in_link.yml b/detection-rules/attachment_pdf_recip_email_in_link.yml
index f29649b7641..1b63a08431c 100644
--- a/detection-rules/attachment_pdf_recip_email_in_link.yml
+++ b/detection-rules/attachment_pdf_recip_email_in_link.yml
@@ -63,3 +63,4 @@ detection_methods:
   - "File analysis"
   - "QR code analysis"
   - "URL analysis"
+id: "0399d08f-57c6-58cb-87dc-8e58ccd0bc1b"

From 43abb3cc40cf2ffdc6397e83597867a655c9dcdf Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Mon, 18 Aug 2025 10:45:30 -0500
Subject: [PATCH 3/3] Update attachment_pdf_recip_email_in_link.yml

---
 detection-rules/attachment_pdf_recip_email_in_link.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection-rules/attachment_pdf_recip_email_in_link.yml b/detection-rules/attachment_pdf_recip_email_in_link.yml
index 1b63a08431c..965d3fee376 100644
--- a/detection-rules/attachment_pdf_recip_email_in_link.yml
+++ b/detection-rules/attachment_pdf_recip_email_in_link.yml
@@ -20,6 +20,7 @@ source: |
                           length(
                                  filter(.scan.url.urls,
                                         not strings.icontains(.url, 'mailto')
+                                        and not strings.istarts_with(.url, 'email:')
                                  )
                           ) == 1
                           // that link contains the email address
@@ -28,6 +29,7 @@ source: |
                                 // filter out mailto links
                                 filter(.scan.url.urls,
                                        not strings.icontains(.url, 'mailto')
+                                       and not strings.istarts_with(.url, 'email:')
                                 ),
                                 // in the URL
                                 strings.icontains(.url, ...email.email)
@@ -50,8 +52,6 @@ source: |
                   )
           )
   )
-  
-
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: