Attachment: Excel file with suspicious template identifier

calendar Jan 12, 2026  ·
Share on: linkedin copy

Detects Excel attachments containing a specific template identifier (TM16390866) in the EXIF metadata, which may indicate malicious or suspicious document templates being used to distribute harmful content.

Sublime rule (View on GitHub)

 1name: "Attachment: Excel file with suspicious template identifier"
 2description: "Detects Excel attachments containing a specific template identifier (TM16390866) in the EXIF metadata, which may indicate malicious or suspicious document templates being used to distribute harmful content."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type == "xlsx"
 9          and any(beta.parse_exif(.).fields,
10                  .key == "Template" and .value == "TM16390866"
11          )
12  )  
13attack_types:
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Evasion"
17  - "Macros"
18detection_methods:
19  - "Exif analysis"
20  - "File analysis"
21id: "40f84b4b-396b-52e8-8d2c-f30016e4096d"
to-top