Attachment: File execution via Javascript

calendar Jan 12, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Javascript contains identifiers or strings that may attempt to execute files.

Sublime rule (View on GitHub)

 1name: "Attachment: File execution via Javascript"
 2description: |
 3    Javascript contains identifiers or strings that may attempt to execute files.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          .file_type in $file_extensions_common_archives
10          and any(file.explode(.),
11                  any(.scan.javascript.identifiers,
12                      strings.ilike(., 'ActiveXObject', 'ShellExecute')
13                  )
14                  or (
15                    length(.scan.javascript.strings) > 0
16                    and all(.scan.javascript.strings,
17                            strings.ilike(., 'Shell.Application', '*.exe')
18                    )
19                  )
20          )
21  )
22  and (
23    profile.by_sender().prevalence in ("new", "outlier")
24    or profile.by_sender().any_messages_malicious_or_spam
25  )
26  and not profile.by_sender().any_messages_benign  
27tags:
28  - "Attack surface reduction"
29attack_types:
30  - "Malware/Ransomware"
31tactics_and_techniques:
32  - "Evasion"
33  - "Scripting"
34detection_methods:
35  - "Archive analysis"
36  - "File analysis"
37  - "Javascript analysis"
38  - "Sender analysis"
39id: "627ae0b1-fbe7-58cf-ba7d-0cf51b806c8a"

Related rules

to-top