• Sublime Core Feed
Low Severity

Attachment: EML with Encrypted ZIP

Labels

Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
YARA

Description

Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content.

References

No references.

Sublime Security
Created Aug 18th, 2025 • Last updated Nov 4th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// attached EML
and any(filter(attachments, .content_type == "message/rfc822" or .file_extension in ('eml')),
        // Attached EML contains a ZIP file
        any(filter(file.parse_eml(.).attachments,
                   .file_type == "zip" or .file_extension == "zip"
            ),
            // ZIP file is encrypted
            any(file.explode(.),
                any(.flavors.yara, . == 'encrypted_zip') or .scan.zip.encrypted
            )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started