Attachment: Excel File With Suspicious Template Identifier

calendar Sep 16, 2025  ·
Share on: linkedin copy

Detects Excel attachments containing a specific template identifier (TM16390866) in the EXIF metadata, which may indicate malicious or suspicious document templates being used to distribute harmful content.

Sublime rule (View on GitHub)

 1name: "Attachment: Excel File With Suspicious Template Identifier"
 2description: "Detects Excel attachments containing a specific template identifier (TM16390866) in the EXIF metadata, which may indicate malicious or suspicious document templates being used to distribute harmful content."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8      .file_type == "xlsx"
 9      and any(beta.parse_exif(.).fields,
10              .key == "Template" and .value == "TM16390866"
11      )
12  )  
13
14attack_types:
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Evasion"
18  - "Macros"
19detection_methods:
20  - "Exif analysis"
21  - "File analysis"
22id: "40f84b4b-396b-52e8-8d2c-f30016e4096d"
to-top