Description

Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning.

References

No references.

Sublime Security
Created Jun 3rd, 2025 • Last updated Jul 3rd, 2025
Source
type.inbound
and any(attachments,
        (
          // Word documents
          strings.iends_with(.file_name, ".doc")
          or strings.iends_with(.file_name, ".docx")
          or strings.iends_with(.file_name, ".docm")
          or .content_type == "application/msword"
          or .content_type == "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
          or .file_type in ("doc", "docx")
          or 

          // Excel documents
          strings.iends_with(.file_name, ".xls")
          or strings.iends_with(.file_name, ".xlsx")
          or strings.iends_with(.file_name, ".xlsm")
          or .content_type == "application/vnd.ms-excel"
          or .content_type == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
          or .file_type in ("xls", "xlsx")
          or 

          // PowerPoint documents
          strings.iends_with(.file_name, ".ppt")
          or strings.iends_with(.file_name, ".pptx")
          or strings.iends_with(.file_name, ".pptm")
          or .content_type == "application/vnd.ms-powerpoint"
          or .content_type == "application/vnd.openxmlformats-officedocument.presentationml.presentation"
          or .file_type in ("ppt", "pptx")
          or 

          // Access documents
          strings.iends_with(.file_name, ".accdb")
          or strings.iends_with(.file_name, ".mdb")
          or .content_type == "application/msaccess"
          or .content_type == "application/x-msaccess"
          or .content_type == "application/vnd.ms-access"
        )
        and any(file.explode(.),
                any(.scan.yara.matches, .name == 'aes_encryption_keywords')
        )
)
// Negating high-trust sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.