Attachment: Office document loads remote document template

 1name: "Attachment: Office document loads remote document template"
 2description: |
 3    Recursively scans archives and Office documents to detect remote document template injection.
 4references:
 5  - "https://delivr.to/payloads?id=c7a7195e-0de3-428d-a32c-5fd59a3012da"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            (
13              // office files
14              .file_extension in~ $file_extensions_macros
15              or .file_extension in~ $file_extensions_common_archives
16              or (
17                .file_extension is null
18                and .file_type == "unknown"
19                and .content_type == "application/octet-stream"
20                and .size < 100000000
21              )
22            )
23            and any(file.explode(.),
24                    .flavors.mime == "text/xml"
25                    and any(.scan.strings.strings,
26                            regex.icontains(., "Target.{0,20}http.{0,200}dotm")
27                    )
28            )
29          )
30  )  
31tags:
32  - "Attack surface reduction"
33attack_types:
34  - "Malware/Ransomware"
35detection_methods:
36  - "Archive analysis"
37  - "File analysis"
38  - "URL analysis"
39id: "d9601104-c330-5995-9fae-4d30b969c081"