Attachment: Macro files containing MHT content

calendar Jan 12, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects macro-enabled files that contain embedded MHT (MIME HTML) content, which is commonly used to hide malicious code through file format manipulation.

Sublime rule (View on GitHub)

 1name: "Attachment: Macro files containing MHT content"
 2description: "Detects macro-enabled files that contain embedded MHT (MIME HTML) content, which is commonly used to hide malicious code through file format manipulation."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_extension in $file_extensions_macros
 9          and any(file.explode(.),
10                  .file_extension == "mht"
11                  and not .flavors.mime == "message/rfc822"
12          )
13  )  
14tags:
15 - "Attack surface reduction"
16attack_types:
17  - "Malware/Ransomware"
18  - "Credential Phishing"
19tactics_and_techniques:
20  - "Evasion"
21  - "Macros"
22  - "Scripting"
23detection_methods:
24  - "Archive analysis"
25  - "File analysis"
26  - "Macro analysis"
27id: "4d54e40b-b6ad-5e9d-ba5e-588cece0b7a6"

Related rules

to-top