Attachment: Office file with suspicious function calls or downloaded file path

 1name: "Attachment: Office file with suspicious function calls or downloaded file path"
 2description: "Attached Office file contains suspicious function calls or known malicious file path pattern."
 3references:
 4  - "https://app.docguard.io/c3e75d7a32a4959724f24c1004724951482cd732db7d287989c873c09166ff95/c3036de5-89b1-49c6-9681-706f5b9af264/0/results/dashboard"
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  and any(attachments,
10          (
11            // office files
12            .file_extension in~ $file_extensions_macros
13            or .file_extension in~ $file_extensions_common_archives
14            or (
15              .file_extension is null
16              and .file_type == "unknown"
17              and .content_type == "application/octet-stream"
18              and .size < 100000
19            )
20          )
21          and (
22            any(file.explode(.),
23                (
24                  any(.scan.strings.strings, strings.ilike(., '*URLDownloadToFile*'))
25                  and any(.scan.strings.strings, strings.ilike(., '*Auto_Open*'))
26                )
27                or any(.scan.strings.strings,
28                       regex.icontains(., 'C:\\[A-Za-z]{7}\\[A-Za-z]{7}\\[A-Za-z]{7}')
29                )
30            )
31          )
32  )
33  and (
34    (
35      profile.by_sender().prevalence in ("new", "outlier")
36      and not profile.by_sender().solicited
37    )
38    or (
39      profile.by_sender().any_messages_malicious_or_spam
40      and not profile.by_sender().any_false_positives
41    )
42  )
43  and not profile.by_sender().any_false_positives  
44tags:
45  - "Attack surface reduction"
46attack_types:
47  - "Malware/Ransomware"
48tactics_and_techniques:
49  - "Evasion"
50  - "Scripting"
51detection_methods:
52  - "Archive analysis"
53  - "File analysis"
54id: "4c78b969-9df8-59e1-8f65-43afdb06c817"