heroui logo

Attachment: Single-page PDF with S3-hosted HTML link

Sublime Rules

View Source
Summary
Detects inbound messages containing a single-page PDF attachment that includes exactly one URL, which links to an HTML file hosted on Amazon S3 (amazonaws.com). The rule requires the attachment to be a PDF with a single page (beta.parse_exif(.).page_count == 1) and exactly one embedded URL (length(.scan.pdf.urls) == 1). That URL must have a path containing .html and point to amazonaws.com with an S3 subdomain. This pattern is commonly used to redirect recipients to a credential harvesting page while leveraging trusted cloud infrastructure to evade detection. The rule is aligned with Credential Phishing, using PDF as an attack vector, leveraging a free file host/delivery mechanism, and employing evasion tactics. Detection methods include File analysis (to inspect the PDF and its embedded URLs), Exif analysis (to verify page_count), and URL analysis (to validate the hosted HTML link on S3). Implementing this rule can help identify targeted phishing attempts that abuse cloud hosting to appear legitimate, but care should be taken to minimize false positives from legitimate documents that legitimately link to S3-hosted HTML resources.
Categories
  • Endpoint
  • Web
  • Cloud
Data Sources
  • File
Created: 2026-07-17