Attachment with unscannable encrypted zip

calendar Apr 30, 2026  ยท
Share on: linkedin copy

Recursively scans files and archives to detect embedded ZIP files that are encrypted and could not be opened/scanned.

Sublime rule (View on GitHub)

 1name: "Attachment with unscannable encrypted zip"
 2description: |
 3  Recursively scans files and archives to detect embedded ZIP files
 4  that are encrypted and could not be opened/scanned.  
 5references:
 6  - "https://www.zdnet.com/article/this-phishing-email-contains-a-password-protected-file-dont-open-it/"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and any(attachments,
12          (.file_type == "zip" or .file_extension == "zip")
13          and any(file.explode(.),
14                  any(.flavors.yara, . == 'encrypted_zip')
15                  and .scan.encrypted_zip.cracked_password == null
16          )
17  )  
18attack_types:
19  - "Malware/Ransomware"
20tactics_and_techniques:
21  - "Encryption"
22  - "Evasion"
23detection_methods:
24  - "Archive analysis"
25  - "File analysis"
26  - "YARA"
27id: "529d4a9a-ffa7-5a53-a065-df244ec67e7a"
to-top