Medium Severity

Attachment: DOCX with malicious document template artifacts

Description

Detects inbound messages containing DOCX attachments with artifacts associated with malicious document templates.

References

No references.

Sublime Security
Created Jun 25th, 2026 • Last updated Jun 25th, 2026
Source
type.inbound
and any(filter(attachments, .file_type == "docx"),
        any(file.explode(.),
            any(.scan.yara.matches,
                .name in ("malicious_docx_document_template_artifacts")
            )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started