• Sublime Core Feed
High Severity

Attachment: OLE external relationship containing file scheme link to executable filetype

Labels

Malware/Ransomware
Evasion
Archive analysis
Content analysis
OLE analysis
Sender analysis

Description

This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software.

References

No references.

Sublime Security
Created Mar 24th, 2024 • Last updated Apr 4th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        (
          .file_extension in~ $file_extensions_macros
          or .file_extension in~ $file_extensions_common_archives
          or (
            .file_extension is null
            and .file_type == "unknown"
            and .content_type == "application/octet-stream"
            and .size < 100000000
          )
        )
        and any(file.oletools(.).relationships,
                .target_url.scheme == "file"
                and regex.icontains(.target_url.path,
                                    '\.(action|ahk|apk|app|appimage|applescript|bat|bin|cab|cmd|command|cpl|dll|dmg|exe|gadget|hta|inf|ins|ipa|isu|jar|job|js|jse|lnk|msi|msp|paf|pif|ps1|rgs|run|scr|sct|sh|shb|vb|vbe|vbs)($|[^\w])'
                )
        )
)
and (
  not profile.by_sender().any_false_positives
  or profile.by_sender().any_messages_malicious_or_spam
)
MQL Console
View MQL Guide

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started