Attachment with VBA macros from employee impersonation (unsolicited)

 1name: "Attachment with VBA macros from employee impersonation (unsolicited)"
 2description: |
 3  Attachment contains a VBA macro from a sender your organization has never sent an email to.
 4
 5  Sender is using a display name that matches the display name of someone in 
 6  your organization.
 7
 8  VBA macros are a common phishing technique used to deploy malware.  
 9references:
10  - "https://threatpost.com/microsoft-outlook-users-targeted-by-gamaredons-new-vba-macro/156484/"
11type: "rule"
12severity: "high"
13source: |
14  type.inbound
15  and sender.display_name in $org_display_names
16  and any(attachments,
17          (
18            .file_extension in~ $file_extensions_macros
19            or .file_extension in~ $file_extensions_common_archives
20          )
21          and file.oletools(.).indicators.vba_macros.exists
22  )
23  and (
24    (
25      sender.email.domain.root_domain in $free_email_providers
26      and sender.email.email not in $recipient_emails
27    )
28    or (
29      sender.email.domain.root_domain not in $free_email_providers
30      and sender.email.domain.domain not in $recipient_domains
31    )
32  )  
33attack_types:
34  - "Malware/Ransomware"
35tactics_and_techniques:
36  - "Impersonation: Employee"
37  - "Macros"
38  - "Social engineering"
39detection_methods:
40  - "Archive analysis"
41  - "File analysis"
42  - "Macro analysis"
43  - "Sender analysis"
44id: "9b262123-9010-5245-89a7-9ebd75333b2a"