• Sublime Core Feed
Low Severity

Attachment: Archive containing disallowed file type

Labels

Malware/Ransomware
Evasion
Archive analysis
File analysis

Description

Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives.

Attackers often embed malicious files within archives to bypass email gateway controls.

References

Sublime Security
Created Aug 17th, 2023 • Last updated Sep 18th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
      (
        .file_extension in~ $file_extensions_common_archives
        or .file_type == "rar"
      )
    and any(file.explode(.), .file_extension in~ (
            // File types blocked by Gmail by default
            // https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments
            "ade",
            "adp",
            "apk",
            "appx",
            "appxbundle",
            "bat",
            "cab",
            "chm",
            "cmd",
            "com",
            "cpl",
            "dll",
            "dmg",
            "ex",
            "ex_",
            "exe",
            "hta",
            "ins",
            "isp",
            "iso",
            "jar",
            "js",
            "jse",
            "lib",
            "lnk",
            "mde",
            "msc",
            "msi",
            "msix",
            "msixbundle",
            "msp",
            "mst",
            "nsh",
            "pif",
            "ps1",
            "scr",
            "sct",
            "shb",
            "sys",
            "vb",
            "vbe",
            "vbs",
            "vxd",
            "wsc",
            "wsf",
            "wsh",

            // File types blocked by Microsoft 365 by default
            // https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519
            "ade",
            "adp",
            "app",
            "application",
            "appref-ms",
            "asp",
            "aspx",
            "asx",
            // "bas", excluded at depth > 1 because they can exist natively in word docs within an archive. see below
            "bat",
            "bgi",
            "cab",
            // "cer",
            "chm",
            "cmd",
            "cnt",
            "com",
            "cpl",
            // "crt",
            // "csh",
            // "der",
            "diagcab",
            "exe",
            "fxp",
            "gadget",
            // "grp",
            "hlp",
            "hpj",
            "hta",
            "htc",
            // "inf",
            "ins",
            "iso",
            "isp",
            "its",
            "jar",
            "jnlp",
            "js",
            "jse",
            "ksh",
            "lnk",
            "mad",
            "maf",
            "mag",
            "mam",
            "maq",
            "mar",
            "mas",
            "mat",
            "mau",
            "mav",
            "maw",
            "mcf",
            "mda",
            // "mdb",
            "mde",
            "mdt",
            "mdw",
            "mdz",
            "msc",
            "msh",
            "msh1",
            "msh2",
            "mshxml",
            "msh1xml",
            "msh2xml",
            "msi",
            "msp",
            "mst",
            "msu",
            "ops",
            "osd",
            "pcd",
            "pif",
            "pl",
            "plg",
            "prf",
            "prg",
            "printerexport",
            "ps1",
            "ps1xml",
            "ps2",
            "ps2xml",
            "psc1",
            "psc2",
            "psd1",
            "psdm1",
            "pst",
            // "py",
            // "pyc",
            "pyo",
            "pyw",
            "pyz",
            "pyzw",
            "reg",
            "scf",
            "scr",
            "sct",
            "shb",
            "shs",
            "theme",
            // "tmp",
            "url",
            "vb",
            "vbe",
            "vbp",
            "vbs",
            "vhd",
            "vhdx",
            "vsmacros",
            "vsw",
            "webpnp",
            "website",
            "ws",
            "wsc",
            "wsf",
            "wsh",
            "xbap",
            "xll",
            "xnk"
          )
          or (
            // BASIC files can naturally occur in word docs,
            // so only flag if depth is 1 (archive -> bas, not archive -> doc -> bas)
            .depth == 1
            and .file_extension =~ "bas"
          )
  )
)

and (
  profile.by_sender().prevalence in ("new", "outlier")
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started