Attachment: Encrypted Microsoft Office file (unsolicited)

calendar Aug 21, 2023  ·
Share on: linkedin copy

Encrypted OLE2 (eg Microsoft Office) attachment from an unsolicited sender. Attachment encryption is a common technique used to bypass malware scanning products. Use if receiving encrypted attachments is not normal behavior in your environment.

Sublime rule (View on GitHub)

 1name: "Attachment: Encrypted Microsoft Office file (unsolicited)"
 2description: |
 3  Encrypted OLE2 (eg Microsoft Office) attachment from an unsolicited sender. Attachment encryption is a common technique used to bypass malware scanning products.
 4  Use if receiving encrypted attachments is not normal behavior in your environment.  
 5references:
 6  - "https://www.cyren.com/blog/articles/anatomy-of-an-attack-password-protected-files-attached-to-emails"
 7type: "rule"
 8severity: "high"
 9source: |
10  type.inbound
11  and any(attachments,
12          .file_extension in~ $file_extensions_macros
13          and file.oletools(.).indicators.encryption.exists
14  )
15  and (
16    (
17      sender.email.domain.root_domain in $free_email_providers
18      and sender.email.email not in $recipient_emails
19    )
20    or (
21      sender.email.domain.root_domain not in $free_email_providers
22      and sender.email.domain.domain not in $recipient_domains
23    )
24  )  
25attack_types:
26  - "Malware/Ransomware"
27tactics_and_techniques:
28  - "Encryption"
29  - "Macros"
30  - "Scripting"
31detection_methods:
32  - "Archive analysis"
33  - "File analysis"
34  - "OLE analysis"
35  - "Sender analysis"
36id: "1e47e953-576c-5ba9-b84e-b72a1a89de87"
to-top