Attachment: Any .sap file (unsolicited)
SAP shortcut files can be abused to run unsanctioned code on endpoints. Use if receiving .sap files is not normal behavior in your environment.
Sublime rule (View on GitHub)
1name: "Attachment: Any .sap file (unsolicited)"
2description: "SAP shortcut files can be abused to run unsanctioned code on endpoints. Use if receiving .sap files is not normal behavior in your environment."
3references:
4 - "https://onapsis.com/blog/sap-shortcut-phishing-threat/"
5type: "rule"
6severity: "low"
7source: |
8 type.inbound
9 and any(attachments, .file_extension == "sap")
10 and (
11 not profile.by_sender().solicited
12 or profile.by_sender().any_messages_malicious_or_spam
13 )
14 and not profile.by_sender().any_messages_benign
15
16 // negate highly trusted sender domains unless they fail DMARC authentication
17 and (
18 (
19 sender.email.domain.root_domain in $high_trust_sender_root_domains
20 and not headers.auth_summary.dmarc.pass
21 )
22 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
23 )
24tags:
25 - "Attack surface reduction"
26attack_types:
27 - "Malware/Ransomware"
28tactics_and_techniques:
29 - "Evasion"
30 - "Scripting"
31detection_methods:
32 - "File analysis"
33 - "Header analysis"
34 - "Sender analysis"
35id: "220ed3de-1b01-54a4-898d-6081785e2870"