Attachment with suspicious author (unsolicited)

Recursively scans files and archives to detect embedded docx files with a specific author.

Sublime rule (View on GitHub)

 1name: "Attachment with suspicious author (unsolicited)"
 2description: |
 3    Recursively scans files and archives to detect embedded docx files with a specific author.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ ("doc", "docm", "docx", "dot", "dotm")
11            or .file_extension in~ $file_extensions_common_archives
12          )
13          and any(file.explode(.), strings.ilike(.scan.docx.author, "root"))
14  )
15  and (
16    not profile.by_sender().solicited
17    or (
18      profile.by_sender().any_messages_malicious_or_spam
19      and not profile.by_sender().any_messages_benign
20    )
21  )  
22attack_types:
23  - "Malware/Ransomware"
24detection_methods:
25  - "File analysis"
26  - "Sender analysis"
27id: "40f518b9-88a2-59c5-8f6a-54bfd0fdf209"
to-top