
Summary
Detects inbound PDF attachments where the EXIF title metadata starts with 127.0.0.1, applicable when the message is sent to a self-addressed recipient or to an invalid recipient domain and there is exactly one recipient. The rule relies on PDF file analysis via EXIF data to identify localhost references embedded in document metadata, a pattern commonly used by automated document generation tools or certain malware campaigns. It flags attachments with file_type 'pdf' and evaluates the EXIF title to start with 127.0.0.1, indicating potential evasion or templating that references the local host. This behavior is intended to catch covert or tooling-based document preparation that may accompany phishing or malware delivery vectors. The logic requires a single recipient, and either a self-sent scenario or a recipient whose domain is invalid, to reduce noise from legitimate multi-recipient mail flows.
Categories
- Network
- Endpoint
Data Sources
- File
Created: 2026-06-30