Attachment: Office file with credential phishing URLs

Detects Office documents containing embedded URLs that redirect to credential phishing pages. The rule filters out standard XML namespace and schema URLs commonly found in legitimate Office documents, then analyzes remaining URLs for malicious content using machine learning link analysis.

Sublime rule (View on GitHub)

  1name: "Attachment: Office file with credential phishing URLs"
  2description: "Detects Office documents containing embedded URLs that redirect to credential phishing pages. The rule filters out standard XML namespace and schema URLs commonly found in legitimate Office documents, then analyzes remaining URLs for malicious content using machine learning link analysis."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  // Filter to Office documents that contain 1-3 non-schema URLs
  8  and any(filter(attachments,
  9                 // Only check Office documents that can contain macros/embedded content
 10                 .file_extension in $file_extensions_macros
 11  
 12                 // Count URLs after filtering out common XML namespace/schema URLs
 13                 and 0 < sum(map(map(file.explode(.),
 14                                     // Filter out standard XML namespace URLs that appear in all Office docs
 15                                     filter(.scan.url.urls,
 16                                            // Exclude OpenXML format schemas
 17                                            .domain.domain not in (
 18                                              'schemas.openxmlformats.org',
 19                                              'schemas.microsoft.com',
 20                                              'www.w3.org'
 21                                            )
 22                                            // Additional Microsoft domain exclusion
 23                                            and not .domain.domain in (
 24                                              'microsoft.com',
 25                                              'wps.cn' // WPS is a china based alt to MS Office and used in namespaces of the documents created by that product
 26                                            )
 27                                            // Exclude Dublin Core persistent URLs (metadata schemas)
 28                                            and not (
 29                                              .domain.domain == 'purl.org'
 30                                              and strings.starts_with(.path,
 31                                                                      '/dc/'
 32                                              )
 33                                            )
 34                                            // Exclude Dublin Core XML schemas
 35                                            and not (
 36                                              .domain.domain == "dublincore.org"
 37                                              and strings.starts_with(.path,
 38                                                                      '/schemas/xmls/'
 39                                              )
 40                                            )
 41                                     )
 42                                 ),
 43                                 // Count URLs in each exploded file component
 44                                 length(.)
 45                             )
 46                 ) <= 3 // Only process attachments with 3 or fewer non-schema URLs
 47          ),
 48          // For the filtered Office documents, check for malicious URLs
 49          any(file.explode(.),
 50              any(
 51                  // Apply the same URL filtering to remove XML namespace noise
 52                  filter(.scan.url.urls,
 53                         .domain.domain not in (
 54                           'schemas.openxmlformats.org',
 55                           'schemas.microsoft.com',
 56                           'www.w3.org'
 57                         )
 58                         and not .domain.domain in (
 59                           'microsoft.com',
 60                           'wps.cn' // WPS is a china based alt to MS Office and used in namespaces of the documents created by that product
 61                         )
 62                         and not (
 63                           .domain.domain == 'purl.org'
 64                           and strings.starts_with(.path, '/dc/')
 65                         )
 66                         and not (
 67                           .domain.domain == "dublincore.org"
 68                           and strings.starts_with(.path, '/schemas/xmls/')
 69                         )
 70                  ),
 71                  // Run link analysis on the filtered URLs to detect phishing
 72                  ml.link_analysis(.).credphish.disposition == "phishing"
 73                  // confidence is only returned when brands, if it's not there, consider this true
 74                  // this ensures if there is a brand, the confidence is high
 75                  // and allows matching when there is no confidence
 76                  and coalesce(ml.link_analysis(.).credphish.confidence == "high", true)
 77                  and not (
 78                    ml.link_analysis(.).credphish.brand.name is not null
 79                    and ml.link_analysis(.).credphish.brand.name == "GoDaddy"
 80                    and strings.icontains(ml.link_analysis(.).final_dom.inner_text,
 81                                          'is parked free, courtesy of GoDaddy.com.'
 82                    )
 83                    and strings.icontains(ml.link_analysis(.).final_dom.inner_text,
 84                                          'Get This Domain'
 85                    )
 86                  )
 87              )
 88          )
 89  )  
 90attack_types:
 91  - "Credential Phishing"
 92tactics_and_techniques:
 93  - "Evasion"
 94  - "Social engineering"
 95detection_methods:
 96  - "File analysis"
 97  - "URL analysis"
 98  - "Archive analysis"
 99  - "Content analysis"
100id: "b2cae98d-3a93-5f49-bc81-1b20296cc332"
to-top