Update attachment_encrypted_pdf_cred_theft.yml (#3484)

zoomequipd · web-flow · commit 323952035d2f · 2025-11-08T17:07:42.000Z
diff --git a/detection-rules/attachment_encrypted_pdf_cred_theft.yml b/detection-rules/attachment_encrypted_pdf_cred_theft.yml
@@ -4,17 +4,16 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and any(attachments,
-          .file_type == "pdf"
-          and any(file.explode(.),
-                  any(.scan.exiftool.fields, .key == "Encryption")
-                  or (
-                    .scan.entropy.entropy > 7
-                    and any(.scan.strings.strings,
-                            strings.icontains(., "/Encrypt")
-                    )
-                  )
+  and any(filter(attachments, .file_type == "pdf"),
+          any(file.explode(.),
+              any(.scan.exiftool.fields, .key == "Encryption")
+              or (
+                .scan.entropy.entropy > 7
+                and any(.scan.strings.strings, strings.icontains(., "/Encrypt"))
+              )
           )
+          // Encrypted PDFs do not have child nodes with any data
+          and all(filter(file.explode(.), .depth > 0), .size == 0)
   )
   and (
     any(ml.nlu_classifier(body.current_thread.text).intents,
@@ -76,7 +75,6 @@ source: |
     )
     or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
-
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
