Link to auto-download of a suspicious file type (unsolicited)
A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
Recursively explodes auto-downloaded files within archives to detect these file types.
This technique has been used by known threat actors in the wild.
Sublime rule (View on GitHub)
1name: "Link to auto-download of a suspicious file type (unsolicited)"
2description: |
3 A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
4
5 Recursively explodes auto-downloaded files within archives to detect these file types.
6
7 This technique has been used by known threat actors in the wild.
8type: "rule"
9references:
10 - "https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/"
11 - "https://twitter.com/MsftSecIntel/status/1418706920152522753"
12 - "https://sandbox.sublimesecurity.com?id=e586c888-4426-41dd-a1be-5a13852075ef"
13severity: "medium"
14source: |
15 type.inbound
16 and any(body.links,
17 any(ml.link_analysis(.).files_downloaded,
18 any(file.explode(.),
19 (
20 // look for files in encrypted zips.
21 // if password cracking the zip wasn't
22 // successful, our only opportunity to look
23 // for suspicious file types is here under
24 // .zip.attempted_files
25 "encrypted_zip" in .flavors.yara
26 and any(.scan.zip.attempted_files,
27 strings.ilike(., "*.???*.exe", "*.lnk", "*.js", "*.vba", "*.vbs", "*.vbe")
28 )
29 )
30 // for both non-encrypted zips and encrypted zips
31 // that were successfully cracked
32 or .file_extension in ("lnk", "js", "vba", "vbs", "vbe")
33 or strings.ilike(.file_name, "*.???*.exe")
34 )
35 )
36 )
37 and (
38 not profile.by_sender().solicited
39 or (
40 profile.by_sender().any_messages_malicious_or_spam
41 and not profile.by_sender().any_false_positives
42 )
43 )
44attack_types:
45 - "Malware/Ransomware"
46tactics_and_techniques:
47 - "Encryption"
48 - "Evasion"
49 - "LNK"
50 - "Social engineering"
51detection_methods:
52 - "Archive analysis"
53 - "File analysis"
54 - "Sender analysis"
55 - "URL analysis"
56 - "YARA"
57id: "67ae2152-ac52-52d4-bec2-6bbc4a488df9"