Attachment: EML with Encrypted ZIP

Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content.

Sublime rule (View on GitHub)

 1name: "Attachment: EML with Encrypted ZIP"
 2description: "Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // attached EML
 8  and any(filter(attachments, .content_type == "message/rfc822"),
 9          // Attached EML contains a ZIP file
10          any(filter(file.parse_eml(.).attachments,
11                     .file_type == "zip" or .file_extension == "zip"
12              ),
13              // ZIP file is encrypted
14              any(file.explode(.),
15                  any(.flavors.yara, . == 'encrypted_zip') or .scan.zip.encrypted
16              )
17          )
18  )  
19tags:
20 - "Attack surface reduction"
21attack_types:
22  - "Malware/Ransomware"
23tactics_and_techniques:
24  - "Encryption"
25  - "Evasion"
26detection_methods:
27  - "Archive analysis"
28  - "File analysis"
29  - "YARA"
30id: "6897a8f7-da66-52ed-a39e-d8c643e78fe9"

Related rules

to-top