
Summary
This rule detects potentially malicious PDF attachments that link to ZIP files originating from unsolicited senders. The detection mechanism analyzes inbound messages, checking for specific attributes in the message body and attachments. It employs a Natural Language Understanding (NLU) classifier to identify requests within the message content. If the message contains a PDF attachment, the rule examines the URLs embedded in the PDF for links that lead to ZIP files, ensuring the domains associated with those links do not appear on a trusted list (tranco_1m). Additionally, the rule distinguishes between solicited and unsolicited messages by analyzing the sender's profile for previous interactions. If the sender is recognized as unsolicited or has a history of sending malicious or spam messages (without previous false positives), the rule triggers an alert. This approach provides robust protection against phishing attempts and malware distribution through manipulated documents.
Categories
- Web
- Endpoint
- Cloud
Data Sources
- File
- Process
- Internet Scan
Created: 2023-05-17