Sublime Core Feed

Login to Sublime

Medium Severity

Attachment with encrypted zip (unsolicited)

Labels

Malware/Ransomware

Archive analysis

Sender analysis

Description

Recursively scans files and archives to detect encrypted zip files.

References

https://www.zdnet.com/article/this-phishing-email-contains-a-password-protected-file-dont-open-it/

Sublime Security

Created Aug 17th, 2023 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

type.inbound
and any(attachments,
        (.file_type == "zip" or .file_extension == "zip")
        and any(file.explode(.), any(.flavors.yara, . == 'encrypted_zip'))
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().prevalence == "common"

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.