Attachment: XLSX file with suspicious print titles metadata

calendar Sep 16, 2025  ·
Share on: linkedin copy

Detects XLSX attachments containing EXIF metadata with suspicious TitlesOfParts fields that follow a specific pattern combining 'Company_Name' with extracted values and 'Print_Titles', potentially indicating malicious document preparation.

Sublime rule (View on GitHub)

 1name: "Attachment: XLSX file with suspicious print titles metadata"
 2description: "Detects XLSX attachments containing EXIF metadata with suspicious TitlesOfParts fields that follow a specific pattern combining 'Company_Name' with extracted values and 'Print_Titles', potentially indicating malicious document preparation."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "xlsx"),
 8          // get the TitleOfParts (Excel Docs this is Worksheet names)
 9          // https://learn.microsoft.com/en-us/openspecs/office_standards/ms-oi29500/de32de14-9573-46f3-9f38-19659e3a8d9a
10          any(filter(beta.parse_exif(.).fields, .key == "TitlesOfParts"),
11              // extract the first sheet name
12              any(regex.iextract(.value, '^\[\"(?P<first_sheet>[^\"]+)\"'),
13                  // check that the first sheet name is observed in the last sheet name with !print_title and comes after a sheet named "Company_Name"
14                  strings.ends_with(..value,
15                                    strings.concat("Company_Name\",\"",
16                                                   .named_groups["first_sheet"],
17                                                   '!Print_Titles"]'
18                                    )
19                  )
20              )
21          )
22  )  
23attack_types:
24  - "Credential Phishing"
25tactics_and_techniques:
26  - "Evasion"
27  - "Macros"
28detection_methods:
29  - "File analysis"
30  - "Exif analysis"
31id: "4c265cbe-bb77-5851-bbf5-1543afca1750"
to-top