Attachment: DOCX with hyperlink targeting recipient address

calendar Dec 17, 2025  ·
Share on: linkedin copy

Detects DOCX attachments containing hyperlinks with anchor references that match recipient email addresses. This technique is commonly used to personalize malicious documents and evade detection.

Sublime rule (View on GitHub)

 1name: "Attachment: DOCX with hyperlink targeting recipient address"
 2description: "Detects DOCX attachments containing hyperlinks with anchor references that match recipient email addresses. This technique is commonly used to personalize malicious documents and evade detection."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_extension in ('docx', 'docm')),
 8          any(filter(file.explode(.),
 9                     strings.icontains(.scan.strings.raw, '<w:hyperlink')
10              ),
11              any(regex.iextract(.scan.strings.raw,
12                                 '<w:hyperlink[^\>]*w:anchor="(?P<email_address>[^\"]+)"'
13                  ),
14                  .named_groups["email_address"] == recipients.to[0].email.email
15                  or any(strings.scan_base64(.named_groups["email_address"],
16                                             ignore_padding=true
17                         ),
18                         strings.icontains(., recipients.to[0].email.email)
19                  )
20              )
21          )
22  )  
23attack_types:
24  - "Credential Phishing"
25  - "Malware/Ransomware"
26tactics_and_techniques:
27  - "Evasion"
28  - "Social engineering"
29detection_methods:
30  - "File analysis"
31  - "Archive analysis"
32  - "XML analysis"
33id: "9ec8fa49-bda9-5e8f-876f-1e53a46d83ca"
to-top