Attachment: SVG file execution

type.inbound
and any(attachments,
        (.file_extension =~ "svg" or .file_extension in $file_extensions_common_archives)
        and any(file.explode(.),
                .file_extension == "svg"
                // Author Matt harr0ey @harr0ey
                // Topic: SVG file Execution
                // WScript inside SVG
                // <script language="JScript">
                // <![CDATA[
                // var r = new ActiveXObject("WScript.Shell").Run("calc.exe")
                // ]]>
                // </script>
                and any(.scan.strings.strings, strings.icontains(., "ActiveXObject"))
                and any(.scan.strings.strings, strings.icontains(., "WScript.Shell"))
                and any(.scan.strings.strings, strings.like(., "*Run*", "*Execute*"))
        )
)