Skip to content

Create link_pdf_display_mismatch.yml #3679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MSAdministrator wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Create link_pdf_display_mismatch.yml #3679

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f252ae4
Create link_pdf_display_mismatch.yml
MSAdministrator Dec 16, 2025
785c840
Auto add rule ID
Dec 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions detection-rules/link_pdf_display_mismatch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: "Link: PDF display mismatch with business document social engineering"
description: "Detects links that display as PDF files but actually point to HTML pages on low-reputation domains, combined with business proposal or document-related social engineering language in the subject or body from external senders."
type: "rule"
severity: "high"
source: |
type.inbound

// SECTION 1: Core PDF Display Mismatch Pattern (High Confidence Indicator)
and any(body.links,
// Link displays as PDF but points to HTML page
strings.ilike(.display_text, "*.pdf")
and strings.icontains(.href_url.url, ".html")
// Link domain is not reputable
and .href_url.domain.root_domain not in $tranco_1m
// Domain completely unrelated to sender's organization
and .href_url.domain.root_domain != sender.email.domain.root_domain
)

// SECTION 3: Business Document Social Engineering Context
and (
// Look for business proposal/document language
strings.ilike(body.html.display_text,
"*proposal*", "*RFP*", "*selected*", "*document*",
"*preview*", "*review*", "*architects*", "*invited*")
or strings.ilike(subject.subject,
"*proposal*", "*RFP*", "*document*", "*architects*")
)

// SECTION 5: False Positive Reduction
and not (
// Not from organizational domains
sender.email.domain.root_domain in $org_domains
// Not from established legitimate senders
or profile.by_sender().any_messages_benign
// Not legitimate document sharing services
or any(body.links,
strings.ilike(.display_text, "*.pdf")
and .href_url.domain.root_domain in ("dropbox.com", "onedrive.live.com", "drive.google.com")
)
)
attack_types:
- "Credential Phishing"
- "BEC/Fraud"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Sender analysis"
- "URL analysis"
- "Whois"
id: "901c1dd0-d557-57cf-b520-a287ad6e8be7"