Attachment: Office file with document sharing and browser instruction lures

Detects macro-enabled attachments containing document sharing language (sent, shared, forwarded) combined with browser interaction instructions (copy, right-click) or common email disclaimers. These tactics are often used to trick users into enabling macros or following malicious instructions.

Sublime rule (View on GitHub)

  1name: "Attachment: Office file with document sharing and browser instruction lures"
  2description: "Detects macro-enabled attachments containing document sharing language (sent, shared, forwarded) combined with browser interaction instructions (copy, right-click) or common email disclaimers. These tactics are often used to trick users into enabling macros or following malicious instructions."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and any(filter(attachments,
  8                 .file_extension in $file_extensions_macros
  9                 // limit the size to reduce FPs, the larger the document, the more likely it is for FPs on benign automated reports
 10                 and .size < 2000000
 11          ),
 12          // Detection Note: There are multiple regex patterns used in multiple places, it'll be important to keep them in sync
 13          any(file.explode(.),
 14              // document sharing lure
 15              (
 16                length(.scan.strings.raw, ) < 1000
 17                and regex.icontains(.scan.strings.raw,
 18                                    '(?:sent|shared|forwarded|provided|invited|received)(?:\s+\w+){0,9}\s+(?:document|file|attachment)',
 19                )
 20              )
 21  
 22              // ocr output
 23              or (
 24                length(.scan.ocr.raw) < 1000
 25                and regex.icontains(.scan.ocr.raw,
 26                                    '(?:sent|shared|forwarded|provided|invited|received)(?:\s+\w+){0,9}\s+(?:document|file|attachment)',
 27                )
 28              )
 29              or (
 30                length(.scan.ocr.raw) < 500
 31                and strings.ends_with(.scan.ocr.raw, 'REVIEW DOCUMENTS')
 32              )
 33          )
 34          // copy/paste stuff or disclaimer text in the OCR output
 35          and (
 36            any(file.explode(.),
 37                (
 38                  length(.scan.strings.raw, ) < 1000
 39                  and (
 40                    regex.icontains(.scan.strings.raw,
 41                                    '(?:copy (?:and paste)?|right.?click)(?:\s+\w+\s*){0,9}browser',
 42                                    'click.{0,50}(?:above|below) to access'
 43                    )
 44                  )
 45                )
 46  
 47                // ocr output
 48                or (
 49                  length(.scan.ocr.raw) < 1000
 50                  and (
 51                    regex.icontains(.scan.ocr.raw,
 52                                    '(?:copy (?:and paste)?|right.?click)(?:\s+\w+\s*){0,9}browser',
 53                                    'click.{0,50}(?:above|below) to access'
 54                    )
 55                  )
 56                )
 57                or 5 of (
 58                  strings.icontains(.scan.ocr.raw,
 59                                    'confidential and intended solely'
 60                  ),
 61                  strings.icontains(.scan.ocr.raw,
 62                                    'intended solely for the use of'
 63                  ),
 64                  strings.icontains(.scan.ocr.raw, 'intended recipient'),
 65                  strings.icontains(.scan.ocr.raw, 'received this email in error'),
 66                  strings.icontains(.scan.ocr.raw,
 67                                    'notify the sender immediately'
 68                  ),
 69                  strings.icontains(.scan.ocr.raw, 'delete it from your system'),
 70                  strings.icontains(.scan.ocr.raw, 'delete the email from'),
 71                  strings.icontains(.scan.ocr.raw, 'virus-free'),
 72                  strings.icontains(.scan.ocr.raw, 'scan for viruses'),
 73                  strings.icontains(.scan.ocr.raw, 'legally binding agreement'),
 74                  strings.icontains(.scan.ocr.raw, 'informational purposes only'),
 75                  strings.icontains(.scan.ocr.raw,
 76                                    'any attachments are confidential'
 77                  ),
 78                  strings.icontains(.scan.ocr.raw, 'loss or damage arising'),
 79                  strings.icontains(.scan.ocr.raw, 'responsibility for any loss'),
 80                  strings.icontains(.scan.ocr.raw, 'unauthorised and prohibited'),
 81                  strings.icontains(.scan.ocr.raw, 'subject to legal privilege'),
 82                  strings.icontains(.scan.ocr.raw,
 83                                    'The information contained in or attached'
 84                  ),
 85                  strings.icontains(.scan.ocr.raw,
 86                                    'people to whom it is addressed'
 87                  ),
 88                  strings.icontains(.scan.ocr.raw,
 89                                    'received this in error, please inform'
 90                  ),
 91                  strings.icontains(.scan.ocr.raw, 'inform the sender and/or'),
 92                  strings.icontains(.scan.ocr.raw,
 93                                    'immediately and delete the material'
 94                  ),
 95                  strings.icontains(.scan.ocr.raw,
 96                                    'confidential and/or privileged material'
 97                  ),
 98                  strings.icontains(.scan.ocr.raw,
 99                                    'The information transmitted is intended'
100                  ),
101                  strings.icontains(.scan.ocr.raw,
102                                    'other than the intended recipient is prohibited'
103                  ),
104                  strings.icontains(.scan.ocr.raw,
105                                    'intended for use by the addressee'
106                  ),
107                  strings.icontains(.scan.ocr.raw,
108                                    'taking of any action in reliance upon'
109                  )
110                )
111            )
112          )
113  )  
114attack_types:
115  - "Credential Phishing"
116tactics_and_techniques:
117  - "Social engineering"
118  - "Evasion"
119detection_methods:
120  - "Archive analysis"
121  - "File analysis"
122  - "Macro analysis"
123  - "Optical Character Recognition"
124  - "Content analysis"
125id: "b1250a4b-fd4d-5c52-af60-83800eedac10"
to-top