Attachment with encrypted zip (unsolicited)

calendar Nov 24, 2023 · Attack surface reduction  ·
Share on: linkedin copy

Recursively scans files and archives to detect encrypted zip files.

Sublime rule (View on GitHub)

 1name: "Attachment with encrypted zip (unsolicited)"
 2description: |
 3    Recursively scans files and archives to detect encrypted zip files.
 4references:
 5  - "https://www.zdnet.com/article/this-phishing-email-contains-a-password-protected-file-dont-open-it/"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (.file_type == "zip" or .file_extension == "zip")
12          and any(file.explode(.), any(.flavors.yara, . == 'encrypted_zip'))
13  )
14  and (
15    not profile.by_sender().solicited
16    or (
17      profile.by_sender().any_messages_malicious_or_spam
18      and not profile.by_sender().any_false_positives
19    )
20  )
21  and not profile.by_sender().prevalence == "common"  
22tags:
23  - "Attack surface reduction"
24attack_types:
25  - "Malware/Ransomware"
26tactics_and_techniques:
27  - "Evasion"
28  - "Encryption"
29detection_methods:
30  - "Archive analysis"
31  - "File analysis"
32  - "Sender analysis"
33id: "697c87ae-943d-54a0-a41b-ba1667147e03"

Related rules

to-top