sublime-security · markmsublime · Sep 3, 2025 · Aug 11, 2025 · Aug 11, 2025
@@ -0,0 +1,40 @@
+name: "Attachment: Fictitious invoice using LinkedIn's address"
+description: "Detects PDF attachments created with wkhtmltopdf or Qt that contain LinkedIn's headquarters address (1000 W Maude Ave) in financial communications context, but do not mention LinkedIn itself."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and 0 < length(filter(attachments, .file_type == "pdf")) < 3
+  and any(filter(attachments,
+                 .file_type == "pdf"
+                 // creator and producer of PDF seen in malicious content
+                 and (
+                   strings.starts_with(beta.parse_exif(.).creator, "wkhtmltopdf")
+                   or strings.starts_with(beta.parse_exif(.).producer, "Qt ")
+                 )
+          ),
+          any(filter(file.explode(.), .scan.ocr.raw is not null),
+              // contains LinkedIn HQ address but not from LinkedIn
+              (
+                strings.icontains(.scan.ocr.raw, "1000 W Maude Ave")
+                and any(beta.ml_topic(body.current_thread.text).topics,
+                        .name == "Financial Communications"
+                        and .confidence != "low"
+                )
+                and not strings.icontains(.scan.ocr.raw, "linkedin")
+              ),
+          )
+  )
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "PDF"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Optical Character Recognition"
+  - "Natural Language Understanding"
+  - "Content analysis"
+  - "Exif analysis"
+id: "aeee3d9f-4b34-5b56-9ac7-81dc3d344489"