Medium Severity
Attachment: Macro Files Containing MHT Content
Description
Detects macro-enabled files that contain embedded MHT (MIME HTML) content, which is commonly used to hide malicious code through file format manipulation.
References
No references.
Sublime Security
Created Jun 12th, 2025 • Last updated Jun 12th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
.file_extension in $file_extensions_macros
and any(file.explode(.),
.file_extension == "mht" and not .flavors.mime == "message/rfc822"
)
)
Playground
Test against your own EMLs or sample data.