Attachment with unscannable encrypted zip (unsolicited)
Recursively scans files and archives to detect embedded ZIP files that are encrypted and could not be opened/scanned.
Sublime rule (View on GitHub)
1name: "Attachment with unscannable encrypted zip (unsolicited)"
2description: |
3 Recursively scans files and archives to detect embedded ZIP files
4 that are encrypted and could not be opened/scanned.
5references:
6 - "https://www.zdnet.com/article/this-phishing-email-contains-a-password-protected-file-dont-open-it/"
7type: "rule"
8severity: "medium"
9source: |
10 type.inbound
11 and any(attachments,
12 (.file_type == "zip" or .file_extension == "zip")
13 and any(file.explode(.),
14 any(.flavors.yara, . == 'encrypted_zip')
15 and .scan.encrypted_zip.cracked_password == null
16 )
17 )
18 and (
19 not profile.by_sender().solicited
20 or (
21 profile.by_sender().any_messages_malicious_or_spam
22 and not profile.by_sender().any_false_positives
23 )
24 )
25attack_types:
26 - "Malware/Ransomware"
27tactics_and_techniques:
28 - "Encryption"
29 - "Evasion"
30detection_methods:
31 - "Archive analysis"
32 - "File analysis"
33 - "Sender analysis"
34 - "YARA"
35id: "529d4a9a-ffa7-5a53-a065-df244ec67e7a"