Encrypted Microsoft Office Files From Untrusted Senders

calendar Jun 4, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning.

Sublime rule (View on GitHub)

 1name: "Encrypted Microsoft Office Files From Untrusted Senders"
 2description: "Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning."
 3type: "rule"
 4severity: "medium"
 5source: |
 6    type.inbound
 7    and any(attachments,
 8            (
 9              // Word documents
10              strings.iends_with(.file_name, ".doc")
11              or strings.iends_with(.file_name, ".docx")
12              or strings.iends_with(.file_name, ".docm")
13              or .content_type == "application/msword"
14              or .content_type == "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
15              or .file_type == "msword"
16              or 
17    
18              // Excel documents
19              strings.iends_with(.file_name, ".xls")
20              or strings.iends_with(.file_name, ".xlsx")
21              or strings.iends_with(.file_name, ".xlsm")
22              or .content_type == "application/vnd.ms-excel"
23              or .content_type == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
24              or .file_type == "msexcel"
25              or 
26    
27              // PowerPoint documents
28              strings.iends_with(.file_name, ".ppt")
29              or strings.iends_with(.file_name, ".pptx")
30              or strings.iends_with(.file_name, ".pptm")
31              or .content_type == "application/vnd.ms-powerpoint"
32              or .content_type == "application/vnd.openxmlformats-officedocument.presentationml.presentation"
33              or .file_type == "mspowerpoint"
34              or 
35    
36              // Access documents
37              strings.iends_with(.file_name, ".accdb")
38              or strings.iends_with(.file_name, ".mdb")
39              or .content_type == "application/msaccess"
40              or .content_type == "application/x-msaccess"
41              or .content_type == "application/vnd.ms-access"
42              or .file_type == "msaccess"
43            )
44            and any(file.explode(.),
45                    any(.scan.yara.matches, .name == 'aes_encryption_keywords')
46            )
47    )
48    // Negating high-trust sender domains unless they fail DMARC authentication
49    and (
50      (
51        sender.email.domain.root_domain in $high_trust_sender_root_domains
52        and (
53          any(distinct(headers.hops, .authentication_results.dmarc is not null),
54              strings.ilike(.authentication_results.dmarc, "*fail")
55          )
56        )
57      )
58      or sender.email.domain.root_domain not in $high_trust_sender_root_domains
59    )    
60tags:
61 - "Attack surface reduction"
62attack_types:
63  - "BEC/Fraud"
64  - "Callback Phishing"
65  - "Credential Phishing"
66  - "Extortion"
67  - "Malware/Ransomware"
68  - "Spam"
69tactics_and_techniques:
70  - "Encryption"
71  - "Evasion"
72detection_methods:
73  - "File analysis"
74  - "YARA"
75  - "Sender analysis"
76id: "eb7b26e7-2e74-5b25-8ecf-7fd401969e03"

Related rules

to-top