Medium Severity
Encrypted Microsoft Office Files From Untrusted Senders
Description
Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning.
References
No references.
Sublime Security
Created Jun 3rd, 2025 • Last updated Jul 3rd, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
(
// Word documents
strings.iends_with(.file_name, ".doc")
or strings.iends_with(.file_name, ".docx")
or strings.iends_with(.file_name, ".docm")
or .content_type == "application/msword"
or .content_type == "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
or .file_type in ("doc", "docx")
or
// Excel documents
strings.iends_with(.file_name, ".xls")
or strings.iends_with(.file_name, ".xlsx")
or strings.iends_with(.file_name, ".xlsm")
or .content_type == "application/vnd.ms-excel"
or .content_type == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
or .file_type in ("xls", "xlsx")
or
// PowerPoint documents
strings.iends_with(.file_name, ".ppt")
or strings.iends_with(.file_name, ".pptx")
or strings.iends_with(.file_name, ".pptm")
or .content_type == "application/vnd.ms-powerpoint"
or .content_type == "application/vnd.openxmlformats-officedocument.presentationml.presentation"
or .file_type in ("ppt", "pptx")
or
// Access documents
strings.iends_with(.file_name, ".accdb")
or strings.iends_with(.file_name, ".mdb")
or .content_type == "application/msaccess"
or .content_type == "application/x-msaccess"
or .content_type == "application/vnd.ms-access"
)
and any(file.explode(.),
any(.scan.yara.matches, .name == 'aes_encryption_keywords')
)
)
// Negating high-trust sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.
Share
Post about this on your socials.