High Severity

Attachment: XLSX file with suspicious print titles metadata

Labels

Description

Detects XLSX attachments containing EXIF metadata with suspicious TitlesOfParts fields that follow a specific pattern combining 'Company_Name' with extracted values and 'Print_Titles', potentially indicating malicious document preparation.

References

No references.

Sublime Security

Created Sep 16th, 2025 • Last updated Sep 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(filter(attachments, .file_type == "xlsx"),
        // get the TitleOfParts (Excel Docs this is Worksheet names)
        // https://learn.microsoft.com/en-us/openspecs/office_standards/ms-oi29500/de32de14-9573-46f3-9f38-19659e3a8d9a
        any(filter(beta.parse_exif(.).fields, .key == "TitlesOfParts"),
            // extract the first sheet name
            any(regex.iextract(.value, '^\[\"(?P<first_sheet>[^\"]+)\"'),
                // check that the first sheet name is observed in the last sheet name with !print_title and comes after a sheet named "Company_Name"
                strings.ends_with(..value,
                                  strings.concat("Company_Name\",\"",
                                                 .named_groups["first_sheet"],
                                                 '!Print_Titles"]'
                                  )
                )
            )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.