• Sublime Core Feed
High Severity

Attachment: Archive with embedded EXE file

Labels

Description

Recursively scans files and archives to detect embedded EXE files (with an MZ header).

According to The Record, on June 7, 2021, the Ukrainian Secret Service attributed an

attack that used this technique to the "special services of the Russian Federation".

The spear-phishing operation urged recipients to download a RAR archive included in the

email, which, when decompressed, would drop an EXE file with a double extension (filename.pdf.exe)

that tried to pass as a PDF file.

References

Sublime Security
Created Aug 17th, 2023 • Last updated Aug 21st, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        .file_extension in~ $file_extensions_common_archives
        and any(file.explode(.), any(.flavors.yara, . == "mz_file"))
)

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started