Medium Severity

Attachment: Office document loads remote document template

Labels

Malware/Ransomware

Archive analysis

File analysis

URL analysis

Description

Recursively scans archives and Office documents to detect remote document template injection.

References

https://delivr.to/payloads?id=c7a7195e-0de3-428d-a32c-5fd59a3012da

Sublime Security

Created Aug 17th, 2023 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          (
            // office files
            .file_extension in~ $file_extensions_macros
            or .file_extension in~ $file_extensions_common_archives
            or (
              .file_extension is null
              and .file_type == "unknown"
              and .content_type == "application/octet-stream"
              and .size < 100000000
            )
          )
          and any(file.explode(.),
                  .flavors.mime == "text/xml"
                  and any(.scan.strings.strings,
                          regex.icontains(., "Target.{0,20}http.{0,200}dotm")
                  )
          )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.