Attachment with unscannable encrypted zip (unsolicited)

Recursively scans files and archives to detect embedded ZIP files that are encrypted and could not be opened/scanned.

Sublime rule (View on GitHub)

 1name: "Attachment with unscannable encrypted zip (unsolicited)"
 2description: |
 3  Recursively scans files and archives to detect embedded ZIP files
 4  that are encrypted and could not be opened/scanned.  
 5references:
 6  - "https://www.zdnet.com/article/this-phishing-email-contains-a-password-protected-file-dont-open-it/"
 7type: "rule"
 8severity: "high"
 9source: |
10  type.inbound
11  and any(attachments,
12          (.file_type == "zip" or .file_extension == "zip")
13          and any(file.explode(.),
14                  any(.flavors.yara, . == 'encrypted_zip')
15                  and .scan.encrypted_zip.cracked_password == null
16          )
17  )
18  and (
19    (
20      sender.email.domain.root_domain in $free_email_providers
21      and sender.email.email not in $recipient_emails
22    )
23    or (
24      sender.email.domain.root_domain not in $free_email_providers
25      and sender.email.domain.domain not in $recipient_domains
26    )
27  )  
28attack_types:
29  - "Malware/Ransomware"
30tactics_and_techniques:
31  - "Encryption"
32  - "Evasion"
33detection_methods:
34  - "Archive analysis"
35  - "File analysis"
36  - "Sender analysis"
37  - "YARA"
38id: "529d4a9a-ffa7-5a53-a065-df244ec67e7a"
to-top