• Sublime Core Feed
Low Severity

Attachment: Any .sap file (unsolicited)

Labels

Malware/Ransomware
Evasion
Scripting
File analysis
Header analysis
Sender analysis

Description

SAP shortcut files can be abused to run unsanctioned code on endpoints. Use if receiving .sap files is not normal behavior in your environment.

References

Sublime Security
Created Oct 27th, 2025 • Last updated Oct 27th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments, .file_extension == "sap")
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started