Attachment with auto-executing macro (unsolicited)

 1name: "Attachment with auto-executing macro (unsolicited)"
 2description: |
 3  Attachment from an unsolicited sender contains a macro that will auto-execute when the file is opened.
 4
 5  Macros are a common phishing technique used to deploy malware.  
 6references:
 7  - "https://www.trustedsec.com/blog/malicious-macros-for-script-kiddies/"
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and any(attachments,
13          .file_extension in~ $file_extensions_macros
14          and any(file.oletools(.).macros.keywords, .type =~ "autoexec")
15  )
16  and (
17    (
18      sender.email.domain.root_domain in $free_email_providers
19      and sender.email.email not in $recipient_emails
20    )
21    or (
22      sender.email.domain.root_domain not in $free_email_providers
23      and sender.email.domain.domain not in $recipient_domains
24    )
25  )
26
27  // negate replies
28  and (
29    length(headers.references) == 0
30    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
31  )  
32attack_types:
33  - "Malware/Ransomware"
34tactics_and_techniques:
35  - "Macros"
36detection_methods:
37  - "Archive analysis"
38  - "Header analysis"
39  - "File analysis"
40  - "Macro analysis"
41  - "OLE analysis"
42  - "Sender analysis"
43id: "af6624c3-2a28-5fbb-8936-fb29e55dd29d"