• Sublime Core Feed
Medium Severity

Attachment: File execution via Javascript

Labels

Description

Javascript contains identifiers or strings that may attempt to execute files.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Dec 19th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        .file_type in $file_extensions_common_archives
        and any(file.explode(.),
                any(.scan.javascript.identifiers, strings.ilike(., 'ActiveXObject', 'ShellExecute'))
                or (
                  length(.scan.javascript.strings) > 0
                  and all(.scan.javascript.strings, strings.ilike(., 'Shell.Application', '*.exe'))
                )
        )
)
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started