Attachment: DOCX with malicious document template artifacts

calendar Jun 25, 2026  ยท
Share on: linkedin copy

Detects inbound messages containing DOCX attachments with artifacts associated with malicious document templates.

Sublime rule (View on GitHub)

 1name: "Attachment: DOCX with malicious document template artifacts"
 2description: "Detects inbound messages containing DOCX attachments with artifacts associated with malicious document templates."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "docx"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches,
10                  .name in ("malicious_docx_document_template_artifacts")
11              )
12          )
13  )  
14attack_types:
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Evasion"
18  - "Exploit"
19detection_methods:
20  - "File analysis"
21  - "YARA"
22id: "add997e7-b313-5746-a60f-b61e60eb3915"
to-top