Attachment with encrypted zip (unsolicited)

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Recursively scans files and archives to detect encrypted zip files.

Sublime rule (View on GitHub)

 1name: "Attachment with encrypted zip (unsolicited)"
 2description: |
 3    Recursively scans files and archives to detect encrypted zip files.
 4references:
 5  - "https://www.zdnet.com/article/this-phishing-email-contains-a-password-protected-file-dont-open-it/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (.file_type == "zip" or .file_extension == "zip")
12          and any(file.explode(.), any(.flavors.yara, . == 'encrypted_zip'))
13  )
14  and (
15    (
16      sender.email.domain.root_domain in $free_email_providers
17      and sender.email.email not in $recipient_emails
18    )
19    or (
20      sender.email.domain.root_domain not in $free_email_providers
21      and sender.email.domain.domain not in $recipient_domains
22    )
23  )  
24attack_types:
25  - "Malware/Ransomware"
26tactics_and_techniques:
27  - "Evasion"
28  - "Encryption"
29detection_methods:
30  - "Archive analysis"
31  - "File analysis"
32  - "Sender analysis"
33id: "697c87ae-943d-54a0-a41b-ba1667147e03"
to-top