Attachment: Archive containing disallowed file type
Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives.
Attackers often embed malicious files within archives to bypass email gateway controls.
Sublime rule (View on GitHub)
1name: "Attachment: Archive containing disallowed file type"
2description: |
3 Recursively scans archives to detect disallowed file types. File extensions can be detected
4 within password-protected archives.
5
6 Attackers often embed malicious files within archives to bypass email gateway controls.
7references:
8 - "https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments"
9 - "https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519"
10type: "rule"
11severity: "low"
12source: |
13 type.inbound
14 and any(attachments,
15 (
16 .file_extension in~ $file_extensions_common_archives
17 or .file_type == "rar"
18 )
19 and any(file.explode(.), .file_extension in~ (
20 // File types blocked by Gmail by default
21 // https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments
22 "ade",
23 "adp",
24 "apk",
25 "appx",
26 "appxbundle",
27 "bat",
28 "cab",
29 "chm",
30 "cmd",
31 "com",
32 "cpl",
33 "dll",
34 "dmg",
35 "ex",
36 "ex_",
37 "exe",
38 "hta",
39 "ins",
40 "isp",
41 "iso",
42 "jar",
43 "js",
44 "jse",
45 "lib",
46 "lnk",
47 "mde",
48 "msc",
49 "msi",
50 "msix",
51 "msixbundle",
52 "msp",
53 "mst",
54 "nsh",
55 "pif",
56 "ps1",
57 "scr",
58 "sct",
59 "shb",
60 "sys",
61 "vb",
62 "vbe",
63 "vbs",
64 "vxd",
65 "wsc",
66 "wsf",
67 "wsh",
68 // File types blocked by Gmail by default
69 // https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments
70 "ade",
71 "adp",
72 "apk",
73 "appx",
74 "appxbundle",
75 "bat",
76 "cab",
77 "chm",
78 "cmd",
79 "com",
80 "cpl",
81 "dll",
82 "dmg",
83 "ex",
84 "ex_",
85 "exe",
86 "hta",
87 "ins",
88 "isp",
89 "iso",
90 "jar",
91 "js",
92 "jse",
93 "lib",
94 "lnk",
95 "mde",
96 "msc",
97 "msi",
98 "msix",
99 "msixbundle",
100 "msp",
101 "mst",
102 "nsh",
103 "pif",
104 "ps1",
105 "scr",
106 "sct",
107 "shb",
108 "sys",
109 "vb",
110 "vbe",
111 "vbs",
112 "vxd",
113 "wsc",
114 "wsf",
115 "wsh",
116
117 // File types blocked by Microsoft 365 by default
118 // https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519
119 "ade",
120 "adp",
121 "app",
122 "application",
123 "appref-ms",
124 "asp",
125 "aspx",
126 "asx",
127 // "bas", excluded at depth > 1 because they can exist natively in word docs within an archive. see below
128 "bat",
129 "bgi",
130 "cab",
131 // "cer",
132 "chm",
133 "cmd",
134 "cnt",
135 "com",
136 "cpl",
137 // "crt",
138 // "csh",
139 // "der",
140 "diagcab",
141 "exe",
142 "fxp",
143 "gadget",
144 // "grp",
145 "hlp",
146 "hpj",
147 "hta",
148 "htc",
149 // "inf",
150 "ins",
151 "iso",
152 "isp",
153 "its",
154 "jar",
155 "jnlp",
156 "js",
157 "jse",
158 "ksh",
159 "lnk",
160 "mad",
161 "maf",
162 "mag",
163 "mam",
164 "maq",
165 "mar",
166 "mas",
167 "mat",
168 "mau",
169 "mav",
170 "maw",
171 "mcf",
172 "mda",
173 // "mdb",
174 "mde",
175 "mdt",
176 "mdw",
177 "mdz",
178 "msc",
179 "msh",
180 "msh1",
181 "msh2",
182 "mshxml",
183 "msh1xml",
184 "msh2xml",
185 "msi",
186 "msp",
187 "mst",
188 "msu",
189 "ops",
190 "osd",
191 "pcd",
192 "pif",
193 "pl",
194 "plg",
195 "prf",
196 "prg",
197 "printerexport",
198 "ps1",
199 "ps1xml",
200 "ps2",
201 "ps2xml",
202 "psc1",
203 "psc2",
204 "psd1",
205 "psdm1",
206 "pst",
207 // "py",
208 // "pyc",
209 "pyo",
210 "pyw",
211 "pyz",
212 "pyzw",
213 "reg",
214 "scf",
215 "scr",
216 "sct",
217 "shb",
218 "shs",
219 "theme",
220 // "tmp",
221 "url",
222 "vb",
223 "vbe",
224 "vbp",
225 "vbs",
226 "vhd",
227 "vhdx",
228 "vsmacros",
229 "vsw",
230 "webpnp",
231 "website",
232 "ws",
233 "wsc",
234 "wsf",
235 "wsh",
236 "xbap",
237 "xll",
238 "xnk"
239 )
240 or (
241 // BASIC files can naturally occur in word docs,
242 // so only flag if depth is 1 (archive -> bas, not archive -> doc -> bas)
243 .depth == 1
244 and .file_extension =~ "bas"
245 )
246 )
247 )
248
249 and (
250 profile.by_sender().prevalence in ("new", "outlier")
251 or profile.by_sender().any_messages_malicious_or_spam
252 )
253 and not profile.by_sender().any_false_positives
254
255tags:
256 - "Attack surface reduction"
257attack_types:
258 - "Malware/Ransomware"
259tactics_and_techniques:
260 - "Evasion"
261detection_methods:
262 - "Archive analysis"
263 - "File analysis"
264id: "3859e3e7-51c9-5259-9b7d-f8c0957696c0"