Attachment: EML with Encrypted ZIP
Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content.
Sublime rule (View on GitHub)
1name: "Attachment: EML with Encrypted ZIP"
2description: "Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 // attached EML
8 and any(filter(attachments, .content_type == "message/rfc822"),
9 // Attached EML contains a ZIP file
10 any(filter(file.parse_eml(.).attachments,
11 .file_type == "zip" or .file_extension == "zip"
12 ),
13 // ZIP file is encrypted
14 any(file.explode(.),
15 any(.flavors.yara, . == 'encrypted_zip') or .scan.zip.encrypted
16 )
17 )
18 )
19tags:
20 - "Attack surface reduction"
21attack_types:
22 - "Malware/Ransomware"
23tactics_and_techniques:
24 - "Encryption"
25 - "Evasion"
26detection_methods:
27 - "Archive analysis"
28 - "File analysis"
29 - "YARA"
30id: "6897a8f7-da66-52ed-a39e-d8c643e78fe9"