Encrypted Microsoft Office files from untrusted sender
Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning.
Sublime rule (View on GitHub)
1name: "Encrypted Microsoft Office files from untrusted sender"
2description: "Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 // Word documents
10 strings.iends_with(.file_name, ".doc")
11 or strings.iends_with(.file_name, ".docx")
12 or strings.iends_with(.file_name, ".docm")
13 or .content_type == "application/msword"
14 or .content_type == "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
15 or .file_type in ("doc", "docx")
16 or
17
18 // Excel documents
19 strings.iends_with(.file_name, ".xls")
20 or strings.iends_with(.file_name, ".xlsx")
21 or strings.iends_with(.file_name, ".xlsm")
22 or .content_type == "application/vnd.ms-excel"
23 or .content_type == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
24 or .file_type in ("xls", "xlsx")
25 or
26
27 // PowerPoint documents
28 strings.iends_with(.file_name, ".ppt")
29 or strings.iends_with(.file_name, ".pptx")
30 or strings.iends_with(.file_name, ".pptm")
31 or .content_type == "application/vnd.ms-powerpoint"
32 or .content_type == "application/vnd.openxmlformats-officedocument.presentationml.presentation"
33 or .file_type in ("ppt", "pptx")
34 or
35
36 // Access documents
37 strings.iends_with(.file_name, ".accdb")
38 or strings.iends_with(.file_name, ".mdb")
39 or .content_type == "application/msaccess"
40 or .content_type == "application/x-msaccess"
41 or .content_type == "application/vnd.ms-access"
42 )
43 and any(file.explode(.),
44 any(.scan.yara.matches, .name == 'aes_encryption_keywords')
45 )
46 )
47 // Negating high-trust sender domains unless they fail DMARC authentication
48 and (
49 (
50 sender.email.domain.root_domain in $high_trust_sender_root_domains
51 and (
52 any(distinct(headers.hops, .authentication_results.dmarc is not null),
53 strings.ilike(.authentication_results.dmarc, "*fail")
54 )
55 )
56 )
57 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
58 )
59tags:
60 - "Attack surface reduction"
61attack_types:
62 - "BEC/Fraud"
63 - "Callback Phishing"
64 - "Credential Phishing"
65 - "Extortion"
66 - "Malware/Ransomware"
67 - "Spam"
68tactics_and_techniques:
69 - "Encryption"
70 - "Evasion"
71detection_methods:
72 - "File analysis"
73 - "YARA"
74 - "Sender analysis"
75id: "eb7b26e7-2e74-5b25-8ecf-7fd401969e03"