Attachment: Employment contract update with suspicious file naming

calendar Jan 28, 2026  ·
Share on: linkedin copy

Detects messages containing two attachments where one is a PowerPoint file with suspicious character substitution in the filename ('Empl0yment' using zero instead of 'o') and body text claiming an employment contract has been updated.

Sublime rule (View on GitHub)

 1name: "Attachment: Employment contract update with suspicious file naming"
 2description: "Detects messages containing two attachments where one is a PowerPoint file with suspicious character substitution in the filename ('Empl0yment' using zero instead of 'o') and body text claiming an employment contract has been updated."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // two attachments, one png and one pptx
 8  and length(attachments) == 2
 9  // the pptx has Empl0yment in name
10  and length(filter(attachments, strings.contains(.file_name, "Empl0yment"))) == 1
11  and strings.icontains(body.current_thread.text,
12                        "Your Employment Contract has being updated"
13  )  
14attack_types:
15  - "Malware/Ransomware"
16tactics_and_techniques:
17  - "Evasion"
18  - "Social engineering"
19detection_methods:
20  - "Content analysis"
21  - "File analysis"
22id: "8bdcd2da-c970-5b55-81f8-1b95d3d9dce0"
to-top