Attachment: MS OOXML file created by Administrator with zero edit time

calendar Jun 12, 2026  ·
Share on: linkedin copy

Detects inbound PowerPoint (.pptx) and other MS OOXML attachments where the file creator is listed as 'Administrator' and the total edit time is zero minutes, while missing the 'TitlesOfParts' metadata field. This pattern may indicate programmatically generated or suspicious presentation files.

Sublime rule (View on GitHub)

 1name: "Attachment: MS OOXML file created by Administrator with zero edit time"
 2description: "Detects inbound PowerPoint (.pptx) and other MS OOXML attachments where the file creator is listed as 'Administrator' and the total edit time is zero minutes, while missing the 'TitlesOfParts' metadata field. This pattern may indicate programmatically generated or suspicious presentation files."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type in ("pptx", "docx")),
 8          beta.parse_exif(.).creator == "Administrator"
 9          and any(beta.parse_exif(.).fields,
10                  .key == "TotalEditTime" and .value == "0"
11          )
12          and not 'TitlesOfParts' in map(beta.parse_exif(.).fields, .key)
13  )  
14attack_types:
15  - "Malware/Ransomware"
16tactics_and_techniques:
17  - "Evasion"
18detection_methods:
19  - "Exif analysis"
20  - "File analysis"
21id: "e6175f24-12b5-52a7-8c76-74ee289a6c82"
to-top