Attachment: Encrypted ZIP containing VHDX file

calendar Apr 3, 2026  ยท
Share on: linkedin copy

Detects ZIP attachments that are encrypted and contain VHDX files, which may be used to bypass security controls or deliver malicious payloads.

Sublime rule (View on GitHub)

 1name: "Attachment: Encrypted ZIP containing VHDX file"
 2description: "Detects ZIP attachments that are encrypted and contain VHDX files, which may be used to bypass security controls or deliver malicious payloads."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "zip"),
 8          any(file.explode(.),
 9              .scan.zip.encrypted == true
10              and any(.scan.zip.all_paths, strings.ends_with(., "vhdx"))
11          )
12  )  
13attack_types:
14  - "Malware/Ransomware"
15tactics_and_techniques:
16  - "Encryption"
17  - "Evasion"
18detection_methods:
19  - "Archive analysis"
20  - "File analysis"
21id: "bf477bfc-e1e4-5182-9ff8-9134c4378098"
to-top