• Sublime Core Feed
Low Severity

Attachment: Archive containing disallowed file type

Labels

Description

Recursively scans archives to detect disallowed file types. File extensions can be detected

within password-protected archives.

Attackers often embed malicious files within archives to bypass email gateway controls.

References

Sublime Security
Created Aug 17th, 2023 • Last updated Nov 14th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        .file_extension in~ $file_extensions_common_archives
        and any(file.explode(.),
                .file_extension in~ (
                  // File types blocked by Gmail by default
                  // https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments
                  "ade",
                  "adp",
                  "apk",
                  "appx",
                  "appxbundle",
                  "bat",
                  "cab",
                  "chm",
                  "cmd",
                  "com",
                  "cpl",
                  "dll",
                  "dmg",
                  "ex",
                  "ex_",
                  "exe",
                  "hta",
                  "ins",
                  "isp",
                  "iso",
                  "jar",
                  "js",
                  "jse",
                  "lib",
                  "lnk",
                  "mde",
                  "msc",
                  "msi",
                  "msix",
                  "msixbundle",
                  "msp",
                  "mst",
                  "nsh",
                  "pif",
                  "ps1",
                  "scr",
                  "sct",
                  "shb",
                  "sys",
                  "vb",
                  "vbe",
                  "vbs",
                  "vxd",
                  "wsc",
                  "wsf",
                  "wsh",

                  // File types blocked by Microsoft 365 by default
                  // https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519
                  "ade",
                  "adp",
                  "app",
                  "application",
                  "appref-ms",
                  "asp",
                  "aspx",
                  "asx",
                  // "bas", excluded at depth > 1 because they can exist natively in word docs within an archive. see below
                  "bat",
                  "bgi",
                  "cab",
                  // "cer",
                  "chm",
                  "cmd",
                  "cnt",
                  "com",
                  "cpl",
                  // "crt",
                  // "csh",
                  // "der",
                  "diagcab",
                  "exe",
                  "fxp",
                  "gadget",
                  // "grp",
                  "hlp",
                  "hpj",
                  "hta",
                  "htc",
                  // "inf",
                  "ins",
                  "iso",
                  "isp",
                  "its",
                  "jar",
                  "jnlp",
                  "js",
                  "jse",
                  "ksh",
                  "lnk",
                  "mad",
                  "maf",
                  "mag",
                  "mam",
                  "maq",
                  "mar",
                  "mas",
                  "mat",
                  "mau",
                  "mav",
                  "maw",
                  "mcf",
                  "mda",
                  // "mdb",
                  "mde",
                  "mdt",
                  "mdw",
                  "mdz",
                  "msc",
                  "msh",
                  "msh1",
                  "msh2",
                  "mshxml",
                  "msh1xml",
                  "msh2xml",
                  "msi",
                  "msp",
                  "mst",
                  "msu",
                  "ops",
                  "osd",
                  "pcd",
                  "pif",
                  "pl",
                  "plg",
                  "prf",
                  "prg",
                  "printerexport",
                  "ps1",
                  "ps1xml",
                  "ps2",
                  "ps2xml",
                  "psc1",
                  "psc2",
                  "psd1",
                  "psdm1",
                  "pst",
                  // "py",
                  // "pyc",
                  "pyo",
                  "pyw",
                  "pyz",
                  "pyzw",
                  "reg",
                  "scf",
                  "scr",
                  "sct",
                  "shb",
                  "shs",
                  "theme",
                  // "tmp",
                  "url",
                  "vb",
                  "vbe",
                  "vbp",
                  "vbs",
                  "vhd",
                  "vhdx",
                  "vsmacros",
                  "vsw",
                  "webpnp",
                  "website",
                  "ws",
                  "wsc",
                  "wsf",
                  "wsh",
                  "xbap",
                  "xll",
                  "xnk"
                )
                or (
                  // BASIC files can naturally occur in word docs,
                  // so only flag if depth is 1 (archive -> bas, not archive -> doc -> bas)
                  .depth == 1
                  and .file_extension =~ "bas"
                )
        )
)
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started