heroui logo

Attachment: Encrypted PDF with credential theft language in EML

Sublime Rules

View Source
Summary
This rule detects inbound email threats where an EML package carries an encrypted PDF attachment and the email body language signals credential theft. Detection begins with parsing the inbound agent’s EMl and attachment structure: it locates PDF attachments, explodes file contents, and flags PDFs that are encrypted by either metadata (ExifTool field Encryption) or by high entropy (entropy > 7) with strings suggesting encryption (e.g., “/Encrypt”). It also requires that encrypted PDFs appear to have minimal internal data (no meaningful child nodes with data). The rule then correlates this with natural language signals of credential theft in the email body: a high/medium confidence intent named cred_theft from an NLU classifier on the body text, or via OCR on an HTML-rendered email body (beta.ocr) to extract text and classify as cred_theft, or via regex patterns that describe password protection, access, unlock, or decrypt phrases related to PDFs. If the current thread lacks content, the rule inspects previous threads for matching text. The detection also includes safeguards against false positives by excluding forwards/replies, applying sender/recipient reputation heuristics (new/outlier senders, spam indicators), DMARC-based trust checks, and domain validity logic, so highly trusted senders are not flagged when DMARC passes. In sum, it targets credential-theft phishing attempts delivered as encrypted PDFs within an EML attachment, using a combination of file-level cryptographic indicators, content/exif analysis, NLP/OCR text analysis, and sender reputation rules.
Categories
  • Endpoint
Data Sources
  • File
Created: 2026-07-14