Skip to content

Create link_pdf_icon.yml#4007

Merged
keaton-sublime merged 5 commits intomainfrom
keaton-sublime.fn.link_pdf_icon
Mar 18, 2026
Merged

Create link_pdf_icon.yml#4007
keaton-sublime merged 5 commits intomainfrom
keaton-sublime.fn.link_pdf_icon

Conversation

@keaton-sublime
Copy link
Copy Markdown
Member

@keaton-sublime keaton-sublime commented Feb 11, 2026

Description

Detects messages containing table rows with 25px height images and links where the display text references PDF content, potentially indicating malicious PDF delivery attempts through deceptive formatting.

Associated samples

Associated hunts

@keaton-sublime keaton-sublime added the in-test-rules PR is in our testing suite to collect telemetry label Feb 12, 2026
github-actions Bot added a commit that referenced this pull request Feb 12, 2026
@github-actions
[Test Rules] [PR #4007] added rule: Link: PDF download with inline im…
7f21198 
…age and suspicious formatting
github-actions Bot added a commit that referenced this pull request Feb 20, 2026
@github-actions
[Test Rules] [PR #4007] modified rule: Link: PDF download with inline…
953ea5f 
… image and suspicious formatting
@keaton-sublime keaton-sublime marked this pull request as ready for review March 16, 2026 21:13
@keaton-sublime keaton-sublime requested a review from a team March 16, 2026 21:13
@keaton-sublime keaton-sublime requested a review from a team as a code owner March 16, 2026 21:13
@keaton-sublime keaton-sublime added the review-needed Indicates that a PR is waiting for review label Mar 16, 2026
@keaton-sublime
Copy link
Copy Markdown
Member Author

keaton-sublime commented Mar 16, 2026

Telemetry looks good, marking as review needed.

github-actions Bot added a commit that referenced this pull request Mar 16, 2026
@github-actions
[Shared Samples] [PR #4007] added rule: PR# 4007 - Link: PDF download…
d63e7ee 
… with inline image and suspicious formatting
@zoomequipd
Copy link
Copy Markdown
Member

zoomequipd commented Mar 17, 2026

updated hunt: https://platform.sublime.security/messages/hunt?huntId=019cfd39-315b-760b-9734-f717ab5c05ef

github-actions Bot added a commit that referenced this pull request Mar 17, 2026
@github-actions
[Test Rules] [PR #4007] Delete detection rule
dfdf07a
github-actions Bot added a commit that referenced this pull request Mar 17, 2026
@github-actions
[Test Rules] [PR #4007] added rule: Link: PDF display text with fake …
e3fa73b 
…copyright claim template
github-actions Bot added a commit that referenced this pull request Mar 17, 2026
@github-actions
[Shared Samples] [PR #4007] Delete detection rule
aea1caa
github-actions Bot added a commit that referenced this pull request Mar 17, 2026
@github-actions
[Shared Samples] [PR #4007] added rule: PR# 4007 - Link: PDF display …
6897f91 
…text with fake copyright claim template
@keaton-sublime keaton-sublime added this pull request to the merge queue Mar 18, 2026
Merged via the queue into main with commit e06c7fd Mar 18, 2026
3 checks passed
@keaton-sublime keaton-sublime deleted the keaton-sublime.fn.link_pdf_icon branch March 18, 2026 12:09
github-actions Bot added a commit that referenced this pull request Mar 18, 2026
@github-actions
[Shared Samples] [PR #4007] Delete detection rule
95486f6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd approved these changes

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@keaton-sublime @zoomequipd