Attachment: Archive containing disallowed file type
Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives.
Attackers often embed malicious files within archives to bypass email gateway controls.
Sublime rule (View on GitHub)
1name: "Attachment: Archive containing disallowed file type"
2description: |
3 Recursively scans archives to detect disallowed file types. File extensions can be detected
4 within password-protected archives.
5
6 Attackers often embed malicious files within archives to bypass email gateway controls.
7references:
8 - "https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments"
9 - "https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519"
10type: "rule"
11severity: "low"
12source: |
13 type.inbound
14 and any(attachments,
15 (
16 .file_extension in~ $file_extensions_common_archives
17 or .file_type == "rar"
18 )
19 and any(file.explode(.),
20 .file_extension in~ (
21 // File types blocked by Gmail by default
22 // https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments
23 "ade",
24 "adp",
25 "apk",
26 "appx",
27 "appxbundle",
28 "bat",
29 "cab",
30 "chm",
31 "cmd",
32 "com",
33 "cpl",
34 "dll",
35 "dmg",
36 "ex",
37 "ex_",
38 "exe",
39 "hta",
40 "ins",
41 "isp",
42 "iso",
43 "jar",
44 "js",
45 "jse",
46 "lib",
47 "lnk",
48 "mde",
49 "msc",
50 "msi",
51 "msix",
52 "msixbundle",
53 "msp",
54 "mst",
55 "nsh",
56 "pif",
57 "ps1",
58 "scr",
59 "sct",
60 "shb",
61 "sys",
62 "vb",
63 "vbe",
64 "vbs",
65 "vxd",
66 "wsc",
67 "wsf",
68 "wsh",
69
70 // File types blocked by Microsoft 365 by default
71 // https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519
72 "ade",
73 "adp",
74 "app",
75 "application",
76 "appref-ms",
77 "asp",
78 "aspx",
79 "asx",
80 // "bas", excluded at depth > 1 because they can exist natively in word docs within an archive. see below
81 "bat",
82 "bgi",
83 "cab",
84 // "cer",
85 "chm",
86 "cmd",
87 "cnt",
88 "com",
89 "cpl",
90 // "crt",
91 // "csh",
92 // "der",
93 "diagcab",
94 "exe",
95 "fxp",
96 "gadget",
97 // "grp",
98 "hlp",
99 "hpj",
100 "hta",
101 "htc",
102 // "inf",
103 "ins",
104 "iso",
105 "isp",
106 "its",
107 "jar",
108 "jnlp",
109 "js",
110 "jse",
111 "ksh",
112 "lnk",
113 "mad",
114 "maf",
115 "mag",
116 "mam",
117 "maq",
118 "mar",
119 "mas",
120 "mat",
121 "mau",
122 "mav",
123 "maw",
124 "mcf",
125 "mda",
126 // "mdb",
127 "mde",
128 "mdt",
129 "mdw",
130 "mdz",
131 "msc",
132 "msh",
133 "msh1",
134 "msh2",
135 "mshxml",
136 "msh1xml",
137 "msh2xml",
138 "msi",
139 "msp",
140 "mst",
141 "msu",
142 "ops",
143 "osd",
144 "pcd",
145 "pif",
146 "pl",
147 "plg",
148 "prf",
149 "prg",
150 "printerexport",
151 "ps1",
152 "ps1xml",
153 "ps2",
154 "ps2xml",
155 "psc1",
156 "psc2",
157 "psd1",
158 "psdm1",
159 "pst",
160 // "py",
161 // "pyc",
162 "pyo",
163 "pyw",
164 "pyz",
165 "pyzw",
166 "reg",
167 "scf",
168 "scr",
169 "sct",
170 "shb",
171 "shs",
172 "theme",
173 // "tmp",
174 "url",
175 "vb",
176 "vbe",
177 "vbp",
178 "vbs",
179 "vhd",
180 "vhdx",
181 "vsmacros",
182 "vsw",
183 "webpnp",
184 "website",
185 "ws",
186 "wsc",
187 "wsf",
188 "wsh",
189 "xbap",
190 "xll",
191 "xnk"
192 )
193 or (
194 // BASIC files can naturally occur in word docs,
195 // so only flag if depth is 1 (archive -> bas, not archive -> doc -> bas)
196 .depth == 1
197 and .file_extension =~ "bas"
198 )
199 )
200 )
201 and (
202 profile.by_sender().prevalence in ("new", "outlier")
203 or profile.by_sender().any_messages_malicious_or_spam
204 )
205 and not profile.by_sender().any_messages_benign
206tags:
207 - "Attack surface reduction"
208attack_types:
209 - "Malware/Ransomware"
210tactics_and_techniques:
211 - "Evasion"
212detection_methods:
213 - "Archive analysis"
214 - "File analysis"
215id: "3859e3e7-51c9-5259-9b7d-f8c0957696c0"