Encrypted Microsoft Office files from untrusted sender

Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning.

Sublime rule (View on GitHub)

 1name: "Encrypted Microsoft Office files from untrusted sender"
 2description: "Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning."
 3type: "rule"
 4severity: "medium"
 5source: |
 6    type.inbound
 7    and any(attachments,
 8            (
 9              // Word documents
10              strings.iends_with(.file_name, ".doc")
11              or strings.iends_with(.file_name, ".docx")
12              or strings.iends_with(.file_name, ".docm")
13              or .content_type == "application/msword"
14              or .content_type == "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
15              or .file_type in ("doc", "docx")
16              or 
17    
18              // Excel documents
19              strings.iends_with(.file_name, ".xls")
20              or strings.iends_with(.file_name, ".xlsx")
21              or strings.iends_with(.file_name, ".xlsm")
22              or .content_type == "application/vnd.ms-excel"
23              or .content_type == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
24              or .file_type in ("xls", "xlsx")
25              or 
26    
27              // PowerPoint documents
28              strings.iends_with(.file_name, ".ppt")
29              or strings.iends_with(.file_name, ".pptx")
30              or strings.iends_with(.file_name, ".pptm")
31              or .content_type == "application/vnd.ms-powerpoint"
32              or .content_type == "application/vnd.openxmlformats-officedocument.presentationml.presentation"
33              or .file_type in ("ppt", "pptx")
34              or 
35    
36              // Access documents
37              strings.iends_with(.file_name, ".accdb")
38              or strings.iends_with(.file_name, ".mdb")
39              or .content_type == "application/msaccess"
40              or .content_type == "application/x-msaccess"
41              or .content_type == "application/vnd.ms-access"
42            )
43            and any(file.explode(.),
44                    any(.scan.yara.matches, .name == 'aes_encryption_keywords')
45            )
46    )
47    // Negating high-trust sender domains unless they fail DMARC authentication
48    and (
49      (
50        sender.email.domain.root_domain in $high_trust_sender_root_domains
51        and (
52          any(distinct(headers.hops, .authentication_results.dmarc is not null),
53              strings.ilike(.authentication_results.dmarc, "*fail")
54          )
55        )
56      )
57      or sender.email.domain.root_domain not in $high_trust_sender_root_domains
58    )    
59tags:
60 - "Attack surface reduction"
61attack_types:
62  - "BEC/Fraud"
63  - "Callback Phishing"
64  - "Credential Phishing"
65  - "Extortion"
66  - "Malware/Ransomware"
67  - "Spam"
68tactics_and_techniques:
69  - "Encryption"
70  - "Evasion"
71detection_methods:
72  - "File analysis"
73  - "YARA"
74  - "Sender analysis"
75id: "eb7b26e7-2e74-5b25-8ecf-7fd401969e03"

Related rules

to-top