Sublime Core Feed

Login to Sublime

High Severity

Attachment with high risk VBA macro (unsolicited)

Labels

Malware/Ransomware

Sender analysis

Description

Potentially malicious attachment containing a VBA macro. Oletools categorizes the macro risk as 'high'.

References

https://threatpost.com/microsoft-outlook-users-targeted-by-gamaredons-new-vba-macro/156484/

Sublime Security

Created Aug 17th, 2023 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

type.inbound
and any(attachments,
        (
          .file_extension in~ $file_extensions_macros
          or (
                .file_extension is null
                and .file_type == "unknown"
                and .content_type == "application/octet-stream"
                and .size < 100000000
          )
        )
        and file.oletools(.).indicators.vba_macros.risk == "high"
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.