Attachment with suspicious author (unsolicited)

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Recursively scans files and archives to detect embedded docx files with a specific author.

Sublime rule (View on GitHub)

 1name: "Attachment with suspicious author (unsolicited)"
 2description: |
 3    Recursively scans files and archives to detect embedded docx files with a specific author.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ ("doc", "docm", "docx", "dot", "dotm")
11            or .file_extension in~ $file_extensions_common_archives
12          )
13          and any(file.explode(.), strings.ilike(.scan.docx.author, "root"))
14  )
15  and (
16    (
17      sender.email.domain.root_domain in $free_email_providers
18      and sender.email.email not in $recipient_emails
19    )
20    or (
21      sender.email.domain.root_domain not in $free_email_providers
22      and sender.email.domain.domain not in $recipient_domains
23    )
24  )  
25attack_types:
26  - "Malware/Ransomware"
27detection_methods:
28  - "File analysis"
29  - "Sender analysis"
30id: "40f518b9-88a2-59c5-8f6a-54bfd0fdf209"
to-top