Attachment: Macro Files Containing MHT Content

calendar Jun 12, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects macro-enabled files that contain embedded MHT (MIME HTML) content, which is commonly used to hide malicious code through file format manipulation.

Sublime rule (View on GitHub)

 1name: "Attachment: Macro Files Containing MHT Content"
 2description: "Detects macro-enabled files that contain embedded MHT (MIME HTML) content, which is commonly used to hide malicious code through file format manipulation."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_extension in $file_extensions_macros
 9          and any(file.explode(.),
10                  .file_extension == "mht" and not .flavors.mime == "message/rfc822"
11          )
12  )  
13tags:
14 - "Attack surface reduction"
15attack_types:
16  - "Malware/Ransomware"
17  - "Credential Phishing"
18tactics_and_techniques:
19  - "Evasion"
20  - "Macros"
21  - "Scripting"
22detection_methods:
23  - "Archive analysis"
24  - "File analysis"
25  - "Macro analysis"
26id: "4d54e40b-b6ad-5e9d-ba5e-588cece0b7a6"

Related rules

to-top