Attachment: Uncommon compressed file

calendar Aug 21, 2023 · Attack surface reduction  ·
Share on: linkedin copy

Use if passing compressed or archive files is not typical behavior in your organization. This behavior has been observed in a number of phishing campaigns.

Sublime rule (View on GitHub)

 1name: "Attachment: Uncommon compressed file"
 2description: |
 3  Use if passing compressed or archive files is not typical behavior in your 
 4  organization. This behavior has been observed in a number of phishing campaigns.  
 5references:
 6  - "https://www.intezer.com/blog/research/global-phishing-campaign-targets-energy-sector-and-its-suppliers/"
 7  - "https://filesec.io/"
 8type: "rule"
 9severity: "low"
10source: |
11  type.inbound
12  and any(attachments, .file_extension in ('tar', 'iso', 'img', 'cab', 'gadget', 'uue'))  
13tags:
14  - "Attack surface reduction"
15attack_types:
16  - "Malware/Ransomware"
17  - "Credential Phishing"
18detection_methods:
19  - "Archive analysis"
20  - "File analysis"
21id: "0c6fba7a-b8a9-5491-a32c-411882e10c79"```

Related rules

to-top