YARA

Detection Method: YARA

YARA detection scans email messages, attachments, and extracted content for known malware, phishing patterns, or suspicious code. This detection method uses the YARA pattern matching language, which lets your security team create specific signatures based on known malicious patterns, both textual and binary.

YARA detection can identify:

Known malware families based on their distinctive code patterns
Obfuscated scripts or executables using encoding techniques
Common phishing templates with structural similarities
Suspicious binary patterns that may indicate malicious functionality
Custom threats targeting specific organizations with tailored YARA rules

Blog Post

Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction

This post will cover a brief timeline of QakBot’s evolution, and focus primarily on recently observed attack techniques. We’ll discuss detection methodologies and share MQL rules that anyone can use to detect, prevent, and hunt for these threats in email environments today. If you're already running Sublime, you received these new protections automatically.

Attack Types (6):

Tactics & Techniques (9):

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Link to auto-downloaded disk image in encrypted zip	2d ago Jul 16th, 2025 UTC	@ajpc500	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1
Link to auto-download of a suspicious file type (unsolicited)	2d ago Jul 16th, 2025 UTC	Sublime Security	Malware/Ransomware Encryption Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152
Attachment with unscannable encrypted zip (unsolicited)	2d ago Jul 16th, 2025 UTC	Sublime Security	Malware/Ransomware Encryption Evasion Archive analysis File analysis Sender analysis YARA	/feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a
Link to auto-downloaded DMG in encrypted zip	2d ago Jul 16th, 2025 UTC	Sublime Security	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3
Encrypted Microsoft Office Files From Untrusted Senders	15d ago Jul 3rd, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Encryption Evasion File analysis YARA Sender analysis	/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-senders-eb7b26e7
Attachment: Malformed OLE file	7mo ago Nov 25th, 2024 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion File analysis YARA	/feeds/core/detection-rules/attachment-malformed-ole-file-5aadc68f
Attachment: HTML file with reference to recipient and suspicious patterns	1y ago May 3rd, 2024 UTC	Sublime Security	Credential Phishing HTML smuggling Scripting Content analysis File analysis HTML analysis Javascript analysis YARA	/feeds/core/detection-rules/attachment-html-file-with-reference-to-recipient-and-suspicious-patterns-5333493d
Attachment: JavaScript file with suspicious base64-encoded executable	1y ago Apr 1st, 2024 UTC	Sublime Security	Malware/Ransomware Evasion Scripting Archive analysis File analysis YARA	/feeds/core/detection-rules/attachment-javascript-file-with-suspicious-base64-encoded-executable-b8db0cf3
Attachment: DocX embedded Binary	1y ago Mar 26th, 2024 UTC	Sublime Security	Malware/Ransomware Evasion Archive analysis Content analysis YARA	/feeds/core/detection-rules/attachment-docx-embedded-binary-feff0241
Attachment: HTML smuggling with embedded base64-encoded executable	1y ago Mar 25th, 2024 UTC	Sublime Security	Malware/Ransomware Evasion HTML smuggling Archive analysis File analysis HTML analysis YARA	/feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-executable-b00c4527
Attachment: Archive with embedded EXE file	1y ago Feb 27th, 2024 UTC	Sublime Security	Malware/Ransomware Evasion Archive analysis File analysis YARA	/feeds/core/detection-rules/attachment-archive-with-embedded-exe-file-e2b0ad86
Attachment: RTF with embedded content	1y ago Feb 26th, 2024 UTC	@amitchell516	Malware/Ransomware Evasion File analysis YARA	/feeds/core/detection-rules/attachment-rtf-with-embedded-content-61dd2dd7
Attachment: Archive contains DLL-loading macro	2y ago Dec 28th, 2023 UTC	Sublime Security	Malware/Ransomware Exploit LNK Macros Scripting Archive analysis File analysis Macro analysis YARA	/feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f
Attachment: Malicious OneNote Commands	2y ago Aug 21st, 2023 UTC	@Kyle_Parrish_	Malware/Ransomware OneNote Scripting Archive analysis Content analysis File analysis YARA	/feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb
Attachment: HTML file with excessive padding and suspicious patterns	2y ago Aug 21st, 2023 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion HTML smuggling File analysis HTML analysis YARA	/feeds/core/detection-rules/attachment-html-file-with-excessive-padding-and-suspicious-patterns-0a6aee1e