Attachment soliciting user to enable macros

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Recursively scans files and archives to detect documents that ask the user to enable macros, including if that text appears within an embedded image.

Sublime rule (View on GitHub)

 1name: "Attachment soliciting user to enable macros"
 2description: |
 3  Recursively scans files and archives to detect documents that ask the
 4  user to enable macros, including if that text appears within an embedded image.  
 5references:
 6  - "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document"
 7type: "rule"
 8severity: "high"
 9source: |
10  type.inbound
11  and any(attachments,
12          (
13            .file_extension in~ $file_extensions_macros
14            or .file_extension in~ $file_extensions_common_archives
15          )
16          and any(file.explode(.),
17                  strings.ilike(.scan.ocr.raw, "*please*enable*macros")
18                  or any(.scan.strings.strings, strings.ilike(., "*please enable macros*"))
19          )
20  )
21  and (
22    (
23      sender.email.domain.root_domain in $free_email_providers
24      and sender.email.email not in $recipient_emails
25    )
26    or (
27      sender.email.domain.root_domain not in $free_email_providers
28      and sender.email.domain.domain not in $recipient_domains
29    )
30  )  
31attack_types:
32  - "Malware/Ransomware"
33tactics_and_techniques:
34  - "Macros"
35detection_methods:
36  - "Archive analysis"
37  - "File analysis"
38  - "Macro analysis"
39  - "Optical Character Recognition"
40  - "Sender analysis"
41id: "e9d75515-8d64-531d-8ccb-9153150d0ee3"
to-top