Attachment with VBA macros from employee impersonation (unsolicited)

 1name: "Attachment with VBA macros from employee impersonation (unsolicited)"
 2description: |
 3  Attachment contains a VBA macro from a sender your organization has never sent an email to.
 4
 5  Sender is using a display name that matches the display name of someone in 
 6  your organization.
 7
 8  VBA macros are a common phishing technique used to deploy malware.  
 9references:
10  - "https://threatpost.com/microsoft-outlook-users-targeted-by-gamaredons-new-vba-macro/156484/"
11type: "rule"
12severity: "high"
13source: |
14  type.inbound
15
16  // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
17  and strings.contains(sender.display_name, " ")
18  and sender.display_name in~ $org_display_names
19  and any(attachments,
20          (
21            .file_extension in~ $file_extensions_macros
22            or .file_extension in~ $file_extensions_common_archives
23            or (
24                .file_extension is null
25                and .file_type == "unknown"
26                and .content_type == "application/octet-stream"
27                and .size < 100000000
28              )
29          )
30          and file.oletools(.).indicators.vba_macros.exists
31  )
32  and (
33    not profile.by_sender().solicited
34    or (
35      profile.by_sender().any_messages_malicious_or_spam
36      and not profile.by_sender().any_false_positives
37    )
38  )  
39attack_types:
40  - "Malware/Ransomware"
41tactics_and_techniques:
42  - "Impersonation: Employee"
43  - "Macros"
44  - "Social engineering"
45detection_methods:
46  - "Archive analysis"
47  - "File analysis"
48  - "Macro analysis"
49  - "Sender analysis"
50id: "9b262123-9010-5245-89a7-9ebd75333b2a"