Attachment soliciting user to enable macros
Recursively scans files and archives to detect documents that ask the user to enable macros, including if that text appears within an embedded image.
Sublime rule (View on GitHub)
1name: "Attachment soliciting user to enable macros"
2description: |
3 Recursively scans files and archives to detect documents that ask the
4 user to enable macros, including if that text appears within an embedded image.
5references:
6 - "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document"
7type: "rule"
8severity: "high"
9source: |
10 type.inbound
11 and any(attachments,
12 (
13 .file_extension in~ $file_extensions_macros
14 or .file_extension in~ $file_extensions_common_archives
15 or (
16 .file_extension is null
17 and .file_type == "unknown"
18 and .content_type == "application/octet-stream"
19 and .size < 100000000
20 )
21 )
22 and any(file.explode(.),
23 strings.ilike(.scan.ocr.raw, "*please*enable*macros")
24 or any(.scan.strings.strings, strings.ilike(., "*please enable macros*"))
25 )
26 )
27 and (
28 not profile.by_sender().solicited
29 or (
30 profile.by_sender().any_messages_malicious_or_spam
31 and not profile.by_sender().any_false_positives
32 )
33 )
34attack_types:
35 - "Malware/Ransomware"
36tactics_and_techniques:
37 - "Macros"
38detection_methods:
39 - "Archive analysis"
40 - "File analysis"
41 - "Macro analysis"
42 - "Optical Character Recognition"
43 - "Sender analysis"
44id: "e9d75515-8d64-531d-8ccb-9153150d0ee3"