Attachment with unscannable encrypted zip (unsolicited)

calendar Nov 1, 2023  ยท
Share on: linkedin copy

Recursively scans files and archives to detect embedded ZIP files that are encrypted and could not be opened/scanned.

Sublime rule (View on GitHub)

 1name: "Attachment with unscannable encrypted zip (unsolicited)"
 2description: |
 3  Recursively scans files and archives to detect embedded ZIP files
 4  that are encrypted and could not be opened/scanned.  
 5references:
 6  - "https://www.zdnet.com/article/this-phishing-email-contains-a-password-protected-file-dont-open-it/"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and any(attachments,
12          (.file_type == "zip" or .file_extension == "zip")
13          and any(file.explode(.),
14                  any(.flavors.yara, . == 'encrypted_zip')
15                  and .scan.encrypted_zip.cracked_password == null
16          )
17  )
18  and (
19    not profile.by_sender().solicited
20    or (
21      profile.by_sender().any_messages_malicious_or_spam
22      and not profile.by_sender().any_false_positives
23    )
24  )  
25attack_types:
26  - "Malware/Ransomware"
27tactics_and_techniques:
28  - "Encryption"
29  - "Evasion"
30detection_methods:
31  - "Archive analysis"
32  - "File analysis"
33  - "Sender analysis"
34  - "YARA"
35id: "529d4a9a-ffa7-5a53-a065-df244ec67e7a"
to-top