High Severity
Attachment: DocX embedded Binary
Description
This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload.
Sublime Security
Created Feb 27th, 2024 • Last updated Mar 26th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or .content_type == "application/zip"
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
.file_extension in~ (
"doc",
"docm",
"docx",
"dot",
"dotm",
"xls",
"xlsx",
"xlsm",
"xlm",
"xlsb",
"xlt",
"xltm",
"ppt",
"pptx",
"pptm",
"ppsm"
)
and (
any(.flavors.yara, . == "base64_pe")
// The malicious file to be downloaded and run with the data URI may not always be portable executable
or any(.scan.strings.strings,
strings.ilike(., "*.createObjectURL(*)*")
)
or any(.scan.strings.strings,
strings.ilike(., "*.msSaveOrOpenBlob(*)*")
)
)
)
)
Playground
Test against your own EMLs or sample data.