From 346928da3661676c30cddb31a25530a117e3a662 Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Tue, 5 Aug 2025 12:31:45 -0700
Subject: [PATCH 1/2] Create attachment_pdf_comp_review.yml

---
 .../attachment_pdf_comp_review.yml            | 117 ++++++++++++++++++
 1 file changed, 117 insertions(+)
 create mode 100644 detection-rules/attachment_pdf_comp_review.yml

diff --git a/detection-rules/attachment_pdf_comp_review.yml b/detection-rules/attachment_pdf_comp_review.yml
new file mode 100644
index 00000000000..8eaceb83603
--- /dev/null
+++ b/detection-rules/attachment_pdf_comp_review.yml
@@ -0,0 +1,117 @@
+name: "Attachment: Compensation review lure with QR code"
+description: "Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    (
+      length(attachments) == 1
+      and any(attachments, .content_type == "application/pdf")
+    )
+    and (
+      // short or null message body
+      (
+        length(body.current_thread.text) < 500 or body.current_thread.text is null
+      )
+      // ignore disclaimers in body length calculation
+      or (
+        any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
+                       .name == "disclaimer"
+                ),
+                .text
+            ),
+            (length(body.current_thread.text) - length(.)) < 500
+        )
+      )
+    )
+  )
+  and (
+    // attached PDF contains a compensation review themed lure with a QR code and suspicious indicators
+    any(attachments,
+        any(file.explode(.),
+            (
+              (
+                regex.icontains(.scan.ocr.raw, 'scan|camera')
+                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
+              )
+              or .scan.qr.type == "url" and .scan.qr.url.domain.valid
+            )
+            // pay-related terms in filename
+            and (
+              (
+                regex.icontains(.file_name,
+                                'salary|pay(?:roll)|bonus|comp(?:ensation|liance|\b)|remuneration|disbursement|incentive|merit|vesting'
+                )
+                // review/change terms in file content
+                or regex.icontains(.scan.ocr.raw,
+                                   '\b(Remuneration Overview|Updated Compensation (Summary|Schedule|Details)|Access Your Statements?)\b'
+                )
+              )
+              or (
+                (
+                  // recipient email SLD in filename
+                  any(recipients.to,
+                      strings.icontains(..file_name, .email.domain.sld)
+                      and .email.domain.valid
+                  )
+                  // recipient local_part in attachment body
+                  and any(recipients.to,
+                          strings.contains(..scan.ocr.raw, .email.local_part)
+                  )
+                )
+                and (
+                  // NLU cred_theft disposition
+                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                      .name == "cred_theft" and .confidence != "low"
+                  )
+                  // suspicious topics
+                  and any(beta.ml_topic(.scan.ocr.raw).topics,
+                         .name in (
+                           "Benefit Enrollment",
+                           "Financial Communications"
+                         )
+                         and .confidence != "low"
+                  )
+                )
+              )
+            )
+        )
+    )
+  )
+  and (
+    not profile.by_sender_email().solicited
+    or not profile.by_sender_email().any_messages_benign
+    or (
+      profile.by_sender_email().any_messages_malicious_or_spam
+      and not profile.by_sender_email().any_messages_benign
+    )
+    // account for spoofed sender domains
+    or (
+      sender.email.domain.domain in $org_domains
+      and not coalesce(headers.auth_summary.dmarc.pass, false)
+    )
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "PDF"
+  - "QR code"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Optical Character Recognition"
+  - "QR code analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+  - "Header analysis"

From 38e0a68695eb28aece15965d14ba9675e140e34f Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Tue, 5 Aug 2025 19:32:58 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 detection-rules/attachment_pdf_comp_review.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/attachment_pdf_comp_review.yml b/detection-rules/attachment_pdf_comp_review.yml
index 8eaceb83603..934182948da 100644
--- a/detection-rules/attachment_pdf_comp_review.yml
+++ b/detection-rules/attachment_pdf_comp_review.yml
@@ -115,3 +115,4 @@ detection_methods:
   - "Natural Language Understanding"
   - "Sender analysis"
   - "Header analysis"
+id: "9fd8185c-e2a7-50d0-895d-9f6b1a1c43ab"