From 74b830bdc48ab7e9006d0385bf1edf09881de7b0 Mon Sep 17 00:00:00 2001 From: keaton-sublime Date: Fri, 29 May 2026 11:47:36 -0400 Subject: [PATCH 1/3] Create body_self_sender_bold_pdf_link.yml --- .../body_self_sender_bold_pdf_link.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 detection-rules/body_self_sender_bold_pdf_link.yml diff --git a/detection-rules/body_self_sender_bold_pdf_link.yml b/detection-rules/body_self_sender_bold_pdf_link.yml new file mode 100644 index 00000000000..5f639375659 --- /dev/null +++ b/detection-rules/body_self_sender_bold_pdf_link.yml @@ -0,0 +1,36 @@ +name: "Link: Self-sent PDF lure with subject correlation" +description: "Detects messages sent from a user to themselves containing bold PDF links where the link text correlates with the subject line or sender domain, potentially indicating a compromised account or social engineering technique." +type: "rule" +severity: "medium" +source: | + type.inbound + // self sender + and ( + length(recipients.to) == 1 + and recipients.to[0].email.email == sender.email.email + ) + // bold a tags ending in PDF + and any(html.xpath(body.html, '//a[./b]').nodes, + strings.iends_with(.display_text, ".pdf") + and ( + // subject appears as the .pdf link + any(regex.extract(subject.base, '(?P\w+)'), + strings.contains(..display_text, .named_groups["word"]) + ) + // OR sender domain appears as the pdf link + or strings.icontains(.display_text, sender.email.domain.sld) + ) + and not strings.starts_with(.display_text, "www") + ) + +attack_types: + - "BEC/Fraud" + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" + - "Evasion" +detection_methods: + - "Header analysis" + - "HTML analysis" + - "Sender analysis" + - "Content analysis" From 386cc72e010a38cdf0f4a263aa616f0f09f4bf99 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Fri, 29 May 2026 15:50:28 +0000 Subject: [PATCH 2/3] Auto-format MQL and add rule IDs --- detection-rules/body_self_sender_bold_pdf_link.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/body_self_sender_bold_pdf_link.yml b/detection-rules/body_self_sender_bold_pdf_link.yml index 5f639375659..5fe8bc9d3b1 100644 --- a/detection-rules/body_self_sender_bold_pdf_link.yml +++ b/detection-rules/body_self_sender_bold_pdf_link.yml @@ -34,3 +34,4 @@ detection_methods: - "HTML analysis" - "Sender analysis" - "Content analysis" +id: "a902702f-0e69-57dd-af81-08225218cffb" From ce1d205bb05977623d2850e68b60719e670822dd Mon Sep 17 00:00:00 2001 From: keaton-sublime Date: Mon, 1 Jun 2026 09:45:30 -0400 Subject: [PATCH 3/3] Update body_self_sender_bold_pdf_link.yml modifying the last line to make it more accurate in filtering out URLs. --- detection-rules/body_self_sender_bold_pdf_link.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/body_self_sender_bold_pdf_link.yml b/detection-rules/body_self_sender_bold_pdf_link.yml index 5fe8bc9d3b1..b439fc54d7e 100644 --- a/detection-rules/body_self_sender_bold_pdf_link.yml +++ b/detection-rules/body_self_sender_bold_pdf_link.yml @@ -20,7 +20,7 @@ source: | // OR sender domain appears as the pdf link or strings.icontains(.display_text, sender.email.domain.sld) ) - and not strings.starts_with(.display_text, "www") + and coalesce(strings.parse_url(.display_text).scheme, "not_url") == "not_url" ) attack_types: