From f252ae4ea517312d1e2618c4708e809ec39e537a Mon Sep 17 00:00:00 2001 From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com> Date: Tue, 16 Dec 2025 10:46:35 -0600 Subject: [PATCH 1/2] Create link_pdf_display_mismatch.yml --- detection-rules/link_pdf_display_mismatch.yml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 detection-rules/link_pdf_display_mismatch.yml diff --git a/detection-rules/link_pdf_display_mismatch.yml b/detection-rules/link_pdf_display_mismatch.yml new file mode 100644 index 00000000000..1db48417622 --- /dev/null +++ b/detection-rules/link_pdf_display_mismatch.yml @@ -0,0 +1,52 @@ +name: "Link: PDF display mismatch with business document social engineering" +description: "Detects links that display as PDF files but actually point to HTML pages on low-reputation domains, combined with business proposal or document-related social engineering language in the subject or body from external senders." +type: "rule" +severity: "high" +source: | + type.inbound + + // SECTION 1: Core PDF Display Mismatch Pattern (High Confidence Indicator) + and any(body.links, + // Link displays as PDF but points to HTML page + strings.ilike(.display_text, "*.pdf") + and strings.icontains(.href_url.url, ".html") + // Link domain is not reputable + and .href_url.domain.root_domain not in $tranco_1m + // Domain completely unrelated to sender's organization + and .href_url.domain.root_domain != sender.email.domain.root_domain + ) + + // SECTION 3: Business Document Social Engineering Context + and ( + // Look for business proposal/document language + strings.ilike(body.html.display_text, + "*proposal*", "*RFP*", "*selected*", "*document*", + "*preview*", "*review*", "*architects*", "*invited*") + or strings.ilike(subject.subject, + "*proposal*", "*RFP*", "*document*", "*architects*") + ) + + // SECTION 5: False Positive Reduction + and not ( + // Not from organizational domains + sender.email.domain.root_domain in $org_domains + // Not from established legitimate senders + or profile.by_sender().any_messages_benign + // Not legitimate document sharing services + or any(body.links, + strings.ilike(.display_text, "*.pdf") + and .href_url.domain.root_domain in ("dropbox.com", "onedrive.live.com", "drive.google.com") + ) + ) +attack_types: + - "Credential Phishing" + - "BEC/Fraud" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" + - "URL analysis" + - "Whois" From 785c84065fe639481d5bb817069da2fdfd03af01 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Tue, 16 Dec 2025 16:50:24 +0000 Subject: [PATCH 2/2] Auto add rule ID --- detection-rules/link_pdf_display_mismatch.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/link_pdf_display_mismatch.yml b/detection-rules/link_pdf_display_mismatch.yml index 1db48417622..873e98d9048 100644 --- a/detection-rules/link_pdf_display_mismatch.yml +++ b/detection-rules/link_pdf_display_mismatch.yml @@ -50,3 +50,4 @@ detection_methods: - "Sender analysis" - "URL analysis" - "Whois" +id: "901c1dd0-d557-57cf-b520-a287ad6e8be7"