• Sublime Core Feed
Medium Severity

Attachment: Macro files containing MHT content

Labels

Malware/Ransomware
Credential Phishing
Evasion
Macros
Scripting
Archive analysis
File analysis
Macro analysis

Description

Detects macro-enabled files that contain embedded MHT (MIME HTML) content, which is commonly used to hide malicious code through file format manipulation.

References

No references.

Sublime Security
Created Jun 12th, 2025 • Last updated Aug 5th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        .file_extension in $file_extensions_macros
        and any(file.explode(.),
                .file_extension == "mht" and not .flavors.mime == "message/rfc822"
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started