Attachment: Archive containing disallowed file type
Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives.
Attackers often embed malicious files within archives to bypass email gateway controls.
Sublime rule (View on GitHub)
1name: "Attachment: Archive containing disallowed file type"
2description: |
3 Recursively scans archives to detect disallowed file types. File extensions can be detected
4 within password-protected archives.
5
6 Attackers often embed malicious files within archives to bypass email gateway controls.
7references:
8 - "https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments"
9 - "https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519"
10type: "rule"
11severity: "low"
12source: |
13 type.inbound
14 and any(attachments,
15 (
16 .file_extension in~ $file_extensions_common_archives
17 or .file_type == "rar"
18 )
19 and any(file.explode(.), .file_extension in~ (
20 // File types blocked by Gmail by default
21 // https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments
22 "ade",
23 "adp",
24 "apk",
25 "appx",
26 "appxbundle",
27 "bat",
28 "cab",
29 "chm",
30 "cmd",
31 "com",
32 "cpl",
33 "dll",
34 "dmg",
35 "ex",
36 "ex_",
37 "exe",
38 "hta",
39 "ins",
40 "isp",
41 "iso",
42 "jar",
43 "js",
44 "jse",
45 "lib",
46 "lnk",
47 "mde",
48 "msc",
49 "msi",
50 "msix",
51 "msixbundle",
52 "msp",
53 "mst",
54 "nsh",
55 "pif",
56 "ps1",
57 "scr",
58 "sct",
59 "shb",
60 "sys",
61 "vb",
62 "vbe",
63 "vbs",
64 "vxd",
65 "wsc",
66 "wsf",
67 "wsh",
68
69 // File types blocked by Microsoft 365 by default
70 // https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519
71 "ade",
72 "adp",
73 "app",
74 "application",
75 "appref-ms",
76 "asp",
77 "aspx",
78 "asx",
79 // "bas", excluded at depth > 1 because they can exist natively in word docs within an archive. see below
80 "bat",
81 "bgi",
82 "cab",
83 // "cer",
84 "chm",
85 "cmd",
86 "cnt",
87 "com",
88 "cpl",
89 // "crt",
90 // "csh",
91 // "der",
92 "diagcab",
93 "exe",
94 "fxp",
95 "gadget",
96 // "grp",
97 "hlp",
98 "hpj",
99 "hta",
100 "htc",
101 // "inf",
102 "ins",
103 "iso",
104 "isp",
105 "its",
106 "jar",
107 "jnlp",
108 "js",
109 "jse",
110 "ksh",
111 "lnk",
112 "mad",
113 "maf",
114 "mag",
115 "mam",
116 "maq",
117 "mar",
118 "mas",
119 "mat",
120 "mau",
121 "mav",
122 "maw",
123 "mcf",
124 "mda",
125 // "mdb",
126 "mde",
127 "mdt",
128 "mdw",
129 "mdz",
130 "msc",
131 "msh",
132 "msh1",
133 "msh2",
134 "mshxml",
135 "msh1xml",
136 "msh2xml",
137 "msi",
138 "msp",
139 "mst",
140 "msu",
141 "ops",
142 "osd",
143 "pcd",
144 "pif",
145 "pl",
146 "plg",
147 "prf",
148 "prg",
149 "printerexport",
150 "ps1",
151 "ps1xml",
152 "ps2",
153 "ps2xml",
154 "psc1",
155 "psc2",
156 "psd1",
157 "psdm1",
158 "pst",
159 // "py",
160 // "pyc",
161 "pyo",
162 "pyw",
163 "pyz",
164 "pyzw",
165 "reg",
166 "scf",
167 "scr",
168 "sct",
169 "shb",
170 "shs",
171 "theme",
172 // "tmp",
173 "url",
174 "vb",
175 "vbe",
176 "vbp",
177 "vbs",
178 "vhd",
179 "vhdx",
180 "vsmacros",
181 "vsw",
182 "webpnp",
183 "website",
184 "ws",
185 "wsc",
186 "wsf",
187 "wsh",
188 "xbap",
189 "xll",
190 "xnk"
191 )
192 or (
193 // BASIC files can naturally occur in word docs,
194 // so only flag if depth is 1 (archive -> bas, not archive -> doc -> bas)
195 .depth == 1
196 and .file_extension =~ "bas"
197 )
198 )
199 )
200
201 and (
202 profile.by_sender().prevalence in ("new", "outlier")
203 or profile.by_sender().any_messages_malicious_or_spam
204 )
205 and not profile.by_sender().any_false_positives
206
207tags:
208 - "Attack surface reduction"
209attack_types:
210 - "Malware/Ransomware"
211tactics_and_techniques:
212 - "Evasion"
213detection_methods:
214 - "Archive analysis"
215 - "File analysis"
216id: "3859e3e7-51c9-5259-9b7d-f8c0957696c0"