Attachment: Office Document with VSTO Add-in

Recursively scans files and archives to detect Office documents with VSTO Add-ins.

Sublime rule (View on GitHub)

 1name: "Attachment: Office Document with VSTO Add-in"
 2description: |
 3    Recursively scans files and archives to detect Office documents with VSTO Add-ins.
 4type: "rule"
 5references:
 6  - "https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010"
 7severity: "high"
 8authors:
 9  - twitter: "vector_sec"
10source: |
11  type.inbound
12  and any(attachments,
13          (
14            .file_extension in~ $file_extensions_macros
15            or .file_extension in~ $file_extensions_common_archives
16            or (
17                .file_extension is null
18                and .file_type == "unknown"
19                and .content_type == "application/octet-stream"
20                and .size < 100000000
21              )
22          )
23          and any(file.explode(.),
24                  .file_extension in~ (
25                    "doc",
26                    "docm",
27                    "docx",
28                    "dot",
29                    "dotm",
30                    "xls",
31                    "xlsx",
32                    "xlsm",
33                    "xlm",
34                    "xlsb",
35                    "xlt",
36                    "xltm",
37                    "ppt",
38                    "pptx",
39                    "pptm",
40                    "ppsm"
41                  )
42                  and any(.scan.exiftool.fields,
43                          .key == "Tag_AssemblyLocation" and strings.ilike(.value, "*.vsto*")
44                          and not strings.ilike(.value, 'C:\Program Files*')
45                          and not any($org_domains, strings.contains(..value, .))
46                  )
47          )
48  )
49  // the message is unsolicited and no false positives
50  and (
51    not profile.by_sender().solicited
52    or (
53      length(headers.reply_to) > 0
54      and all(headers.reply_to, .email.email not in $recipient_emails)
55    )
56  )
57  and not profile.by_sender().any_false_positives  
58
59attack_types:
60  - "Malware/Ransomware"
61tactics_and_techniques:
62  - "Scripting"
63detection_methods:
64  - "Archive analysis"
65  - "Content analysis"
66  - "Exif analysis"
67  - "File analysis"
68  - "Sender analysis"
69  - "URL analysis"
70id: "27afa730-6dd5-58ec-9deb-ed5170de210d"
to-top