Skip to content

Add detection rule for suspicious PDF links in RFQ/RFP#4563

Open
peterdj45 wants to merge 7 commits into
mainfrom
peter.new.link_suspicious_rfq
Open

Add detection rule for suspicious PDF links in RFQ/RFP#4563
peterdj45 wants to merge 7 commits into
mainfrom
peter.new.link_suspicious_rfq

Conversation

@peterdj45

@peterdj45 peterdj45 commented May 28, 2026

Copy link
Copy Markdown
Member

Description

This rule detects messages with reply or forward subjects that contain links appearing as PDF files but redirect to potentially malicious domains, specifically targeting RFQ or RFP terminology.

Associated samples

Associated hunts

@peterdj45
Add detection rule for suspicious PDF links in RFQ/RFP
71a434e 
This rule detects messages with reply or forward subjects that contain links appearing as PDF files but redirect to potentially malicious domains, specifically targeting RFQ or RFP terminology.
@peterdj45 peterdj45 requested a review from a team May 28, 2026 22:54
@peterdj45 peterdj45 requested a review from a team as a code owner May 28, 2026 22:54
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label May 28, 2026
github-actions Bot added a commit that referenced this pull request May 28, 2026
@github-actions
[Test Rules] [PR #4563] added rule: Link: PDF with suspicious Request…
4f4bf63 
… for Quote or Purchase (RFQ|RFP)
github-actions Bot added a commit that referenced this pull request May 28, 2026
@github-actions
[Shared Samples] [PR #4563] added rule: PR# 4563 - Link: PDF with sus…
fb37a38 
…picious Request for Quote or Purchase (RFQ|RFP)
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 28, 2026
@github-actions
[Test Rules] [PR sublime-security#4563] added rule: Link: PDF with su…
557c173 
…spicious Request for Quote or Purchase (RFQ|RFP)
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request Jun 4, 2026
@github-actions
[Test Rules] [PR sublime-security#4563] modified rule: Link: PDF with…
9e54fbc 
… suspicious Request for Quote or Purchase (RFQ|RFP)
github-actions Bot added a commit that referenced this pull request Jun 4, 2026
@github-actions
[Test Rules] [PR #4563] modified rule: Link: PDF with suspicious Requ…
bae1da9 
…est for Quote or Purchase (RFQ|RFP)
github-actions Bot added a commit that referenced this pull request Jun 4, 2026
@github-actions
[Shared Samples] [PR #4563] modified rule: PR# 4563 - Link: PDF with …
88e3989 
…suspicious Request for Quote or Purchase (RFQ|RFP)
github-actions Bot added a commit that referenced this pull request Jun 5, 2026
@github-actions
[Shared Samples] [PR #4563] modified rule: PR# 4563 - Link: PDF with …
b453461 
…suspicious Request for Quote or Purchase (RFQ|RFP)
@peterdj45

peterdj45 commented Jun 5, 2026

Copy link
Copy Markdown
Member Author

multi-hunts look good, results in ESC-14369

@peterdj45 peterdj45 added the review-needed Indicates that a PR is waiting for review label Jun 5, 2026
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request Jun 5, 2026
@github-actions
[Test Rules] [PR sublime-security#4563] modified rule: Link: PDF with…
ef21193 
… suspicious Request for Quote or Purchase (RFQ|RFP)
github-actions Bot added a commit that referenced this pull request Jun 5, 2026
@github-actions
[Test Rules] [PR #4563] modified rule: Link: PDF with suspicious Requ…
753892e 
…est for Quote or Purchase (RFQ|RFP)
@IndiaAce

IndiaAce commented Jun 8, 2026

Copy link
Copy Markdown
Member

Reviewing the telemetry in shared samples I'm not sure if we're getting enough unique coverage from https://github.com/sublime-security/sublime-rules/blob/883ff2f87408afb3c14f06f075915d974d009e7e/detection-rules/suspicious_request_for_quote_or_purchase.yml to warrant making a net-new rule for this. What are your thoughts on folding in the PDF angle to the change I made to this rule a few months ago: https://github.com/sublime-security/sublime-rules/pull/4401/changes up to conversation about that.

adding something like

  or (
    any(body.current_thread.links,
        strings.iends_with(.display_text, '.pdf')
        and regex.icontains(.display_text,
                            '(\bR\.?F\.?P\b|\bR\.?F\.?Q\b|Request.for.(?:Quot(e|ation)|Purchas(e|ing))|proposal|purchase.?order)'
        )
    )
  )

@IndiaAce IndiaAce self-assigned this Jun 8, 2026
@IndiaAce IndiaAce self-requested a review June 8, 2026 17:00
@IndiaAce

IndiaAce commented Jun 9, 2026

Copy link
Copy Markdown
Member

I'm going to remove review-needed for the time being on this but feel free to PM me or just remark it ready for review whenever you're ready thanks!

@IndiaAce IndiaAce removed the review-needed Indicates that a PR is waiting for review label Jun 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IndiaAce IndiaAce Awaiting requested review from IndiaAce

At least 1 approving review is required to merge this pull request.

Assignees

@IndiaAce IndiaAce

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@peterdj45 @IndiaAce