Attachment: Archive containing disallowed file type
Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives.
Attackers often embed malicious files within archives to bypass email gateway controls.
Sublime rule (View on GitHub)
1name: "Attachment: Archive containing disallowed file type"
2description: |
3 Recursively scans archives to detect disallowed file types. File extensions can be detected
4 within password-protected archives.
5
6 Attackers often embed malicious files within archives to bypass email gateway controls.
7references:
8 - "https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments"
9 - "https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519"
10type: "rule"
11severity: "low"
12source: |
13 type.inbound
14 and any(attachments,
15 .file_extension in~ $file_extensions_common_archives
16 and any(file.explode(.),
17 .file_extension in~ (
18 // File types blocked by Gmail by default
19 // https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments
20 "ade",
21 "adp",
22 "apk",
23 "appx",
24 "appxbundle",
25 "bat",
26 "cab",
27 "chm",
28 "cmd",
29 "com",
30 "cpl",
31 "dll",
32 "dmg",
33 "ex",
34 "ex_",
35 "exe",
36 "hta",
37 "ins",
38 "isp",
39 "iso",
40 "jar",
41 "js",
42 "jse",
43 "lib",
44 "lnk",
45 "mde",
46 "msc",
47 "msi",
48 "msix",
49 "msixbundle",
50 "msp",
51 "mst",
52 "nsh",
53 "pif",
54 "ps1",
55 "scr",
56 "sct",
57 "shb",
58 "sys",
59 "vb",
60 "vbe",
61 "vbs",
62 "vxd",
63 "wsc",
64 "wsf",
65 "wsh",
66
67 // File types blocked by Microsoft 365 by default
68 // https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519
69 "ade",
70 "adp",
71 "app",
72 "application",
73 "appref-ms",
74 "asp",
75 "aspx",
76 "asx",
77 // "bas", excluded at depth > 1 because they can exist natively in word docs within an archive. see below
78 "bat",
79 "bgi",
80 "cab",
81 // "cer",
82 "chm",
83 "cmd",
84 "cnt",
85 "com",
86 "cpl",
87 // "crt",
88 // "csh",
89 // "der",
90 "diagcab",
91 "exe",
92 "fxp",
93 "gadget",
94 // "grp",
95 "hlp",
96 "hpj",
97 "hta",
98 "htc",
99 // "inf",
100 "ins",
101 "iso",
102 "isp",
103 "its",
104 "jar",
105 "jnlp",
106 "js",
107 "jse",
108 "ksh",
109 "lnk",
110 "mad",
111 "maf",
112 "mag",
113 "mam",
114 "maq",
115 "mar",
116 "mas",
117 "mat",
118 "mau",
119 "mav",
120 "maw",
121 "mcf",
122 "mda",
123 // "mdb",
124 "mde",
125 "mdt",
126 "mdw",
127 "mdz",
128 "msc",
129 "msh",
130 "msh1",
131 "msh2",
132 "mshxml",
133 "msh1xml",
134 "msh2xml",
135 "msi",
136 "msp",
137 "mst",
138 "msu",
139 "ops",
140 "osd",
141 "pcd",
142 "pif",
143 "pl",
144 "plg",
145 "prf",
146 "prg",
147 "printerexport",
148 "ps1",
149 "ps1xml",
150 "ps2",
151 "ps2xml",
152 "psc1",
153 "psc2",
154 "psd1",
155 "psdm1",
156 "pst",
157 // "py",
158 // "pyc",
159 "pyo",
160 "pyw",
161 "pyz",
162 "pyzw",
163 "reg",
164 "scf",
165 "scr",
166 "sct",
167 "shb",
168 "shs",
169 "theme",
170 // "tmp",
171 "url",
172 "vb",
173 "vbe",
174 "vbp",
175 "vbs",
176 "vhd",
177 "vhdx",
178 "vsmacros",
179 "vsw",
180 "webpnp",
181 "website",
182 "ws",
183 "wsc",
184 "wsf",
185 "wsh",
186 "xbap",
187 "xll",
188 "xnk"
189 )
190 or (
191 // BASIC files can naturally occur in word docs,
192 // so only flag if depth is 1 (archive -> bas, not archive -> doc -> bas)
193 .depth == 1
194 and .file_extension =~ "bas"
195 )
196 )
197 )
198tags:
199 - "Attack surface reduction"
200attack_types:
201 - "Malware/Ransomware"
202tactics_and_techniques:
203 - "Evasion"
204detection_methods:
205 - "Archive analysis"
206 - "File analysis"
207id: "3859e3e7-51c9-5259-9b7d-f8c0957696c0"