• delivr.to Feed
Medium Severity

Attachment: Nested 7-Zip Archives CVE-2025-0411 (Unsolicited)

Labels

No labels.

Description

This rule detects an unsolicited email with a 7-Zip archive that contains another 7-Zip archive, this may be an attempt to exploit CVE-2025-0411, which bypasses Windows Mark-of-the-Web (MoTW) protections.

References

@delivr_to
Created Feb 6th, 2025 • Last updated Feb 6th, 2025
Feed Source
delivr.to Feed
Source
GitHub
type.inbound
and any(attachments, 
    any(file.explode(.),
        .file_extension == "7z" and
        any(.scan.yara.matches, 
            .name == "SUSP_NESTED_7ZIP_Feb25"
        )
    )
)
and (
  not profile.by_sender_email().solicited
  or sender.email.domain.domain == "delivrto.me"
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started