Attachment: Suspicious VBA macros from first-time sender

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Detects any VBA macro attachment that scores above a medium confidence threshold in the Sublime Macro Classifier.

Sublime rule (View on GitHub)

 1name: "Attachment: Suspicious VBA macros from first-time sender"
 2description: |
 3    Detects any VBA macro attachment that scores above a medium confidence threshold in the Sublime Macro Classifier.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          .file_extension in~ $file_extensions_macros
10          and ml.macro_classifier(.).malicious
11          and ml.macro_classifier(.).confidence in ("high")
12  )
13  and (
14    (
15      sender.email.domain.root_domain in $free_email_providers
16      and sender.email.email not in $sender_emails
17    )
18    or (
19      sender.email.domain.root_domain not in $free_email_providers
20      and sender.email.domain.domain not in $sender_domains
21    )
22  )  
23attack_types:
24  - "Malware/Ransomware"
25tactics_and_techniques:
26  - "Macros"
27detection_methods:
28  - "File analysis"
29  - "Macro analysis"
30  - "Sender analysis"
31id: "37cec120-2757-5e99-a489-1315780dae08"
to-top