Medium Severity
Link to auto-download of a suspicious file type (unsolicited)
Description
A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
Recursively explodes auto-downloaded files within archives to detect these file types.
This technique has been used by known threat actors in the wild.
References
Sublime Security
Created Aug 17th, 2023 • Last updated Nov 20th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any(body.links,
any(ml.link_analysis(.).files_downloaded,
any(file.explode(.),
(
// look for files in encrypted zips.
// if password cracking the zip wasn't
// successful, our only opportunity to look
// for suspicious file types is here under
// .zip.attempted_files
"encrypted_zip" in .flavors.yara
and any(.scan.zip.attempted_files,
strings.ilike(., "*.dll", "*.html", "*.exe", "*.lnk", "*.js", "*.vba", "*.vbs", "*.vbe")
)
)
// for both non-encrypted zips and encrypted zips
// that were successfully cracked
or .file_extension in ("dll", "exe", "html", "lnk", "js", "vba", "vbs", "vbe", "bat")
or strings.ilike(.file_name, "*.exe")
or (
.file_extension not in ("dll", "exe")
and (
.flavors.mime in ("application/x-dosexec")
or any(.flavors.yara, . in ('mz_file'))
)
)
or any(.flavors.yara, . == "macho_file")
)
and not (
ml.link_analysis(..).effective_url.domain.root_domain == "zoom.us"
and .file_extension == "exe"
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
Playground
Test against your own EMLs or sample data.