Link to auto-download of a suspicious file type (unsolicited)
A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
Recursively explodes auto-downloaded files within archives to detect these file types.
This technique has been used by known threat actors in the wild.
Sublime rule (View on GitHub)
1name: "Link to auto-download of a suspicious file type (unsolicited)"
2description: |
3 A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
4
5 Recursively explodes auto-downloaded files within archives to detect these file types.
6
7 This technique has been used by known threat actors in the wild.
8type: "rule"
9references:
10 - "https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/"
11 - "https://twitter.com/MsftSecIntel/status/1418706920152522753"
12 - "https://sandbox.sublimesecurity.com?id=e586c888-4426-41dd-a1be-5a13852075ef"
13severity: "medium"
14source: |
15 type.inbound
16 and any(body.links,
17 any(beta.linkanalysis(.).files_downloaded,
18 any(file.explode(.),
19 (
20 // look for files in encrypted zips.
21 // if password cracking the zip wasn't
22 // successful, our only opportunity to look
23 // for suspicious file types is here under
24 // .zip.attempted_files
25 "encrypted_zip" in .flavors.yara
26 and any(.scan.zip.attempted_files,
27 strings.ilike(., "*.lnk", "*.js", "*.vba", "*.vbs", "*.vbe")
28 )
29 )
30 // for both non-encrypted zips and encrypted zips
31 // that were successfully cracked
32 or .file_extension in ("lnk", "js", "vba", "vbs", "vbe")
33 )
34 )
35 )
36 // unsolicited
37 and (
38 (
39 sender.email.domain.root_domain in $free_email_providers
40 and sender.email.email not in $recipient_emails
41 )
42 or (
43 sender.email.domain.root_domain not in $free_email_providers
44 and sender.email.domain.domain not in $recipient_domains
45 )
46 )
47attack_types:
48 - "Malware/Ransomware"
49tactics_and_techniques:
50 - "Encryption"
51 - "Evasion"
52 - "LNK"
53 - "Social engineering"
54detection_methods:
55 - "Archive analysis"
56 - "File analysis"
57 - "Sender analysis"
58 - "URL analysis"
59 - "YARA"
60id: "67ae2152-ac52-52d4-bec2-6bbc4a488df9"