Suspicious VBA macros from untrusted sender

calendar Feb 23, 2024  ยท
Share on: linkedin copy

Detects any VBA macro attachment that scores above a medium confidence threshold in the Sublime Macro Classifier.

Sublime rule (View on GitHub)

 1name: "Suspicious VBA macros from untrusted sender"
 2description: |
 3    Detects any VBA macro attachment that scores above a medium confidence threshold in the Sublime Macro Classifier.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ $file_extensions_macros
11            or (
12                .file_extension is null
13                and .file_type == "unknown"
14                and .content_type == "application/octet-stream"
15                and .size < 100000000
16            )
17          )
18          and ml.macro_classifier(.).malicious
19          and ml.macro_classifier(.).confidence in ("high")
20  )
21  and (
22    profile.by_sender().prevalence in ("new", "outlier")
23    or (
24      profile.by_sender().any_messages_malicious_or_spam
25      and not profile.by_sender().any_false_positives
26    )
27  )  
28attack_types:
29  - "Malware/Ransomware"
30tactics_and_techniques:
31  - "Macros"
32detection_methods:
33  - "File analysis"
34  - "Macro analysis"
35  - "Sender analysis"
36id: "37cec120-2757-5e99-a489-1315780dae08"
to-top