• Sublime Core Feed
High Severity

Attachment: Excel file with suspicious template identifier

Labels

Credential Phishing
Evasion
Macros
Exif analysis
File analysis

Description

Detects Excel attachments containing a specific template identifier (TM16390866) in the EXIF metadata, which may indicate malicious or suspicious document templates being used to distribute harmful content.

References

No references.

Sublime Security
Created Sep 16th, 2025 • Last updated Sep 17th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
    .file_type == "xlsx"
    and any(beta.parse_exif(.).fields,
            .key == "Template" and .value == "TM16390866"
    )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started