Attachment: TAR file with RAR type

calendar Apr 24, 2026  ·
Share on: linkedin copy

Detects messages with TAR file extensions that are actually RAR file types. This mismatch between file extension and actual file type may indicate an evasion technique.

Sublime rule (View on GitHub)

 1name: "Attachment: TAR file with RAR type"
 2description: "Detects messages with TAR file extensions that are actually RAR file types. This mismatch between file extension and actual file type may indicate an evasion technique."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments, .file_extension =~ "tar" and .file_type =~ "rar")  
 8
 9attack_types:
10  - "Malware/Ransomware"
11tactics_and_techniques:
12  - "Evasion"
13detection_methods:
14  - "Archive analysis"
15  - "File analysis"
16id: "364a0ea6-8011-5de2-b4c5-5eff8134037a"
to-top