Link to auto-download of a suspicious file type (unsolicited)
A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
Recursively explodes auto-downloaded files within archives to detect these file types.
This rule also catches direct Google Drive download links (drive.google.com/uc?export=download) that automatically download archive files, as these are frequently abused by threat actors to distribute malware.
This technique has been used by known threat actors in the wild.
Sublime rule (View on GitHub)
1name: "Link to auto-download of a suspicious file type (unsolicited)"
2description: |
3 A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
4
5 Recursively explodes auto-downloaded files within archives to detect these file types.
6
7 This rule also catches direct Google Drive download links (drive.google.com/uc?export=download) that automatically download archive files, as these are frequently abused by threat actors to distribute malware.
8
9 This technique has been used by known threat actors in the wild.
10type: "rule"
11references:
12 - "https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/"
13 - "https://twitter.com/MsftSecIntel/status/1418706920152522753"
14 - "https://sandbox.sublimesecurity.com?id=e586c888-4426-41dd-a1be-5a13852075ef"
15severity: "medium"
16source: |
17 type.inbound
18 and any(body.links,
19 // Detect suspicious direct Google Drive downloads
20 (
21 strings.icontains(.href_url.url, "drive.google.com/uc")
22 and strings.icontains(.href_url.url, "export=download")
23 and any(ml.link_analysis(., mode="aggressive").files_downloaded,
24 .file_extension in $file_extensions_common_archives
25 )
26 )
27 or any(ml.link_analysis(.).files_downloaded,
28 // call parse_exif to see if there is a sus file
29 any(beta.parse_exif(.).fields,
30 .key == "ArchivedFileName"
31 and strings.ilike(.value,
32 "*.dll",
33 "*.html",
34 "*.exe",
35 "*.lnk",
36 "*.js",
37 "*.vba",
38 "*.vbs",
39 "*.vbe",
40 "*.bat"
41 )
42 )
43 or any(file.explode(.),
44 (
45 // look for files in encrypted zips.
46 // if password cracking the zip wasn't
47 // successful, our only opportunity to look
48 // for suspicious file types is here under
49 // .zip.attempted_files
50 "encrypted_zip" in .flavors.yara
51 and any(.scan.zip.attempted_files,
52 strings.ilike(., "*.dll", "*.html", "*.exe", "*.lnk", "*.js", "*.vba", "*.vbs", "*.vbe", "*.bat")
53 )
54 )
55 // for both non-encrypted zips and encrypted zips
56 // that were successfully cracked
57 or .file_extension in ("dll", "exe", "html", "lnk", "js", "vba", "vbs", "vbe", "bat")
58 or strings.ilike(.file_name, "*.exe")
59 or (
60 .file_extension not in ("dll", "exe")
61 and (
62 .flavors.mime in ("application/x-dosexec")
63 or any(.flavors.yara, . in ('mz_file'))
64 )
65 )
66 or any(.flavors.yara, . == "macho_file")
67 )
68 and not (
69 ml.link_analysis(..).effective_url.domain.root_domain == "zoom.us"
70 and .file_extension == "exe"
71 )
72 )
73 )
74 and (
75 not profile.by_sender().solicited
76 or (
77 profile.by_sender().any_messages_malicious_or_spam
78 and not profile.by_sender().any_messages_benign
79 )
80 )
81attack_types:
82 - "Malware/Ransomware"
83tactics_and_techniques:
84 - "Encryption"
85 - "Evasion"
86 - "LNK"
87 - "Social engineering"
88detection_methods:
89 - "Archive analysis"
90 - "File analysis"
91 - "Sender analysis"
92 - "URL analysis"
93 - "YARA"
94id: "67ae2152-ac52-52d4-bec2-6bbc4a488df9"