
Summary
Detects inbound PDF attachments that contain W-9 lure signatures, using a YARA rule match named pdf_w9_signature_c003. The rule filters for inbound events with at least one PDF attachment, then explodes the file and checks for YARA matches with the specified signature name. This targets social-engineering BEC/fraud campaigns that use W-9 tax form lures and similar tricks. Detection relies on file analysis and YARA scanning and is set to medium severity.
Categories
- Endpoint
Data Sources
- File
Created: 2026-07-02