Attachment: Uncommon compressed file

calendar Jan 12, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Use if passing compressed or archive files is not typical behavior in your organization. This behavior has been observed in a number of phishing campaigns.

Sublime rule (View on GitHub)

 1name: "Attachment: Uncommon compressed file"
 2description: |
 3  Use if passing compressed or archive files is not typical behavior in your 
 4  organization. This behavior has been observed in a number of phishing campaigns.  
 5references:
 6  - "https://www.intezer.com/blog/research/global-phishing-campaign-targets-energy-sector-and-its-suppliers/"
 7  - "https://filesec.io/"
 8type: "rule"
 9severity: "low"
10source: |
11  type.inbound
12  and any(attachments,
13          .file_extension in ('tar', 'iso', 'img', 'cab', 'gadget', 'uue')
14  )  
15tags:
16  - "Attack surface reduction"
17attack_types:
18  - "Malware/Ransomware"
19  - "Credential Phishing"
20detection_methods:
21  - "Archive analysis"
22  - "File analysis"
23id: "0c6fba7a-b8a9-5491-a32c-411882e10c79"```

Related rules

to-top