Skip to content

Create attachment_pdf_comp_review.yml #3054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 19, 2025
Merged

Create attachment_pdf_comp_review.yml #3054

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
346928d
Create attachment_pdf_comp_review.yml
peterdj45 Aug 5, 2025
38e0a68
Auto add rule ID
Aug 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
118 changes: 118 additions & 0 deletions detection-rules/attachment_pdf_comp_review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
name: "Attachment: Compensation review lure with QR code"
description: "Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders."
type: "rule"
severity: "high"
source: |
type.inbound
and (
(
length(attachments) == 1
and any(attachments, .content_type == "application/pdf")
)
and (
// short or null message body
(
length(body.current_thread.text) < 500 or body.current_thread.text is null
)
// ignore disclaimers in body length calculation
or (
any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "disclaimer"
),
.text
),
(length(body.current_thread.text) - length(.)) < 500
)
)
)
)
and (
// attached PDF contains a compensation review themed lure with a QR code and suspicious indicators
any(attachments,
any(file.explode(.),
(
(
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
or .scan.qr.type == "url" and .scan.qr.url.domain.valid
)
// pay-related terms in filename
and (
(
regex.icontains(.file_name,
'salary|pay(?:roll)|bonus|comp(?:ensation|liance|\b)|remuneration|disbursement|incentive|merit|vesting'
)
// review/change terms in file content
or regex.icontains(.scan.ocr.raw,
'\b(Remuneration Overview|Updated Compensation (Summary|Schedule|Details)|Access Your Statements?)\b'
)
)
or (
(
// recipient email SLD in filename
any(recipients.to,
strings.icontains(..file_name, .email.domain.sld)
and .email.domain.valid
)
// recipient local_part in attachment body
and any(recipients.to,
strings.contains(..scan.ocr.raw, .email.local_part)
)
)
and (
// NLU cred_theft disposition
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence != "low"
)
// suspicious topics
and any(beta.ml_topic(.scan.ocr.raw).topics,
.name in (
"Benefit Enrollment",
"Financial Communications"
)
and .confidence != "low"
)
)
)
)
)
)
)
and (
not profile.by_sender_email().solicited
or not profile.by_sender_email().any_messages_benign
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
// account for spoofed sender domains
or (
sender.email.domain.domain in $org_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "PDF"
- "QR code"
- "Social engineering"
detection_methods:
- "File analysis"
- "Optical Character Recognition"
- "QR code analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "Header analysis"
id: "9fd8185c-e2a7-50d0-895d-9f6b1a1c43ab"