Attachment with suspicious author (unsolicited)
Recursively scans files and archives to detect embedded docx files with a specific author.
Sublime rule (View on GitHub)
1name: "Attachment with suspicious author (unsolicited)"
2description: |
3 Recursively scans files and archives to detect embedded docx files with a specific author.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 (
10 .file_extension in~ ("doc", "docm", "docx", "dot", "dotm")
11 or .file_extension in~ $file_extensions_common_archives
12 )
13 and any(file.explode(.), strings.ilike(.scan.docx.author, "root"))
14 )
15 and (
16 not profile.by_sender().solicited
17 or (
18 profile.by_sender().any_messages_malicious_or_spam
19 and not profile.by_sender().any_messages_benign
20 )
21 )
22attack_types:
23 - "Malware/Ransomware"
24detection_methods:
25 - "File analysis"
26 - "Sender analysis"
27id: "40f518b9-88a2-59c5-8f6a-54bfd0fdf209"