Link to auto-download of a suspicious file type (unsolicited)
A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
Recursively explodes auto-downloaded files within archives to detect these file types.
This rule also catches direct Google Drive download links (drive.google.com/uc?export=download) that automatically download archive files, as these are frequently abused by threat actors to distribute malware.
This technique has been used by known threat actors in the wild.
Sublime rule (View on GitHub)
1name: "Link to auto-download of a suspicious file type (unsolicited)"
2description: |
3 A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
4
5 Recursively explodes auto-downloaded files within archives to detect these file types.
6
7 This rule also catches direct Google Drive download links (drive.google.com/uc?export=download) that automatically download archive files, as these are frequently abused by threat actors to distribute malware.
8
9 This technique has been used by known threat actors in the wild.
10type: "rule"
11references:
12 - "https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/"
13 - "https://twitter.com/MsftSecIntel/status/1418706920152522753"
14 - "https://sandbox.sublimesecurity.com?id=e586c888-4426-41dd-a1be-5a13852075ef"
15severity: "medium"
16source: |
17 type.inbound
18 and any(body.links,
19 // Detect suspicious direct Google Drive downloads
20 (
21 strings.icontains(.href_url.url, "drive.google.com/uc")
22 and strings.icontains(.href_url.url, "export=download")
23 and any(ml.link_analysis(., mode="aggressive").files_downloaded,
24 .file_extension in $file_extensions_common_archives
25 )
26 )
27
28 or any(ml.link_analysis(.).files_downloaded,
29 any(file.explode(.),
30 (
31 // look for files in encrypted zips.
32 // if password cracking the zip wasn't
33 // successful, our only opportunity to look
34 // for suspicious file types is here under
35 // .zip.attempted_files
36 "encrypted_zip" in .flavors.yara
37 and any(.scan.zip.attempted_files,
38 strings.ilike(., "*.dll", "*.html", "*.exe", "*.lnk", "*.js", "*.vba", "*.vbs", "*.vbe")
39 )
40 )
41 // for both non-encrypted zips and encrypted zips
42 // that were successfully cracked
43 or .file_extension in ("dll", "exe", "html", "lnk", "js", "vba", "vbs", "vbe", "bat")
44 or strings.ilike(.file_name, "*.exe")
45 or (
46 .file_extension not in ("dll", "exe")
47 and (
48 .flavors.mime in ("application/x-dosexec")
49 or any(.flavors.yara, . in ('mz_file'))
50 )
51 )
52 or any(.flavors.yara, . == "macho_file")
53 )
54 and not (
55 ml.link_analysis(..).effective_url.domain.root_domain == "zoom.us"
56 and .file_extension == "exe"
57 )
58 )
59 )
60 and (
61 not profile.by_sender().solicited
62 or (
63 profile.by_sender().any_messages_malicious_or_spam
64 and not profile.by_sender().any_false_positives
65 )
66 )
67attack_types:
68 - "Malware/Ransomware"
69tactics_and_techniques:
70 - "Encryption"
71 - "Evasion"
72 - "LNK"
73 - "Social engineering"
74detection_methods:
75 - "Archive analysis"
76 - "File analysis"
77 - "Sender analysis"
78 - "URL analysis"
79 - "YARA"
80id: "67ae2152-ac52-52d4-bec2-6bbc4a488df9"