High Severity

Attachment: Excel file with document sharing lure created by Go Excelize

Labels

Credential Phishing

Macros

Description

Detects Excel macro files created with the Go Excelize library containing document sharing language such as 'sent document', 'shared file', or 'REVIEW DOCUMENT'. These files are often used as lures to trick users into enabling macros or downloading malicious content.

References

No references.

Sublime Security

Created Jan 29th, 2026 • Last updated Jan 29th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(filter(attachments,
               .file_extension in $file_extensions_macros
               // limit the size to reduce FPs, the larger the document, the more likely it is for FPs on benign automated reports
               and .size < 2000000
        ),
        any(file.explode(.),
            // document sharing lure
            (
              length(.scan.strings.raw, ) < 1000
              and regex.icontains(.scan.strings.raw,
                                  '(?:sent|shared|forwarded|provided|invited|received)(?:\s+\w+){0,9}\s+(?:document|file|attachment)',
              )
            )
            or strings.icontains(.scan.strings.raw,
                                 'Please download this spreadsheet or SVG and click'
            )
            or (
              length(.scan.strings.raw) < 500
              and strings.contains(.scan.strings.raw, 'REVIEW DOCUMENT')
            )
        )
        and beta.parse_exif(.).creator == "xuri"
        and any(beta.parse_exif(.).fields,
                .key == "Application" and .value == "Go Excelize"
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.