Attachment: Office document with VSTO add-in
Recursively scans files and archives to detect Office documents with VSTO Add-ins.
Sublime rule (View on GitHub)
1name: "Attachment: Office document with VSTO add-in"
2description: |
3 Recursively scans files and archives to detect Office documents with VSTO Add-ins.
4type: "rule"
5references:
6 - "https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010"
7severity: "high"
8authors:
9 - twitter: "vector_sec"
10source: |
11 type.inbound
12 and any(attachments,
13 (
14 .file_extension in~ $file_extensions_macros
15 or .file_extension in~ $file_extensions_common_archives
16 or (
17 .file_extension is null
18 and .file_type == "unknown"
19 and .content_type == "application/octet-stream"
20 and .size < 100000000
21 )
22 )
23 and any(file.explode(.),
24 .file_extension in~ (
25 "doc",
26 "docm",
27 "docx",
28 "dot",
29 "dotm",
30 "xls",
31 "xlsx",
32 "xlsm",
33 "xlm",
34 "xlsb",
35 "xlt",
36 "xltm",
37 "ppt",
38 "pptx",
39 "pptm",
40 "ppsm"
41 )
42 and any(.scan.exiftool.fields,
43 .key == "Tag_AssemblyLocation"
44 and strings.ilike(.value, "*.vsto*")
45 and not strings.ilike(.value, 'C:\Program Files*')
46 and not any($org_domains, strings.contains(..value, .))
47 )
48 )
49 )
50 // the message is unsolicited and no false positives
51 and (
52 not profile.by_sender().solicited
53 or (
54 length(headers.reply_to) > 0
55 and all(headers.reply_to, .email.email not in $recipient_emails)
56 )
57 )
58 and not profile.by_sender().any_messages_benign
59attack_types:
60 - "Malware/Ransomware"
61tactics_and_techniques:
62 - "Scripting"
63detection_methods:
64 - "Archive analysis"
65 - "Content analysis"
66 - "Exif analysis"
67 - "File analysis"
68 - "Sender analysis"
69 - "URL analysis"
70id: "27afa730-6dd5-58ec-9deb-ed5170de210d"