Medium Severity

Attachment: Encrypted zip file with payment-related lure

Labels

BEC/Fraud

Malware/Ransomware

Description

Detects messages containing zip file attachments with payment-themed content that reference encrypted files, passwords, and payment details. The rule looks for specific patterns indicating the attachment is encrypted and contains payment-related information, commonly used to evade security scanning by requiring manual extraction.

References

No references.

Sublime Security

Created Nov 25th, 2025 • Last updated Nov 25th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(attachments) > 0
// 3 instances of zip/encrypted/payment information
and 3 of (
  regex.icontains(body.current_thread.text, 'zip file.{1,50}encrypted'),
  regex.icontains(body.current_thread.text, 'attachment.{1,30}encrypted'),
  regex.icontains(body.current_thread.text,
                  'password.{1,5}is.{1,5}[A-Z0-9]{8,}'
  ),
  regex.icontains(body.current_thread.text,
                  'details.{1,20}payment.{1,30}attach'
  ),
  strings.icontains(subject.subject, "you have received"),
  strings.icontains(subject.subject, "new debit"),
  strings.icontains(subject.subject, "payment confirmation"),
  strings.icontains(subject.subject, "invoice attached")
)
and (
  // one attachment included and the file is a zip
  attachments[0].file_extension == "zip"
  and (
    regex.icontains(attachments[0].file_name,
                    'payment|invoice|receipt|document|bank'
    )
    // long uppercase passwords
    or regex.contains(body.current_thread.text, '[A-Z]{10,}')
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started