sublimelowRule

Attachment: Uncommon compressed file

Use if passing compressed or archive files is not typical behavior in your organization. This behavior has been observed in a number of phishing campaigns.

MITRE ATT&CK

T1566.001 T1204.002 T1486 T1566 T1566.002 T1598

Detection Query

type.inbound
and any(attachments,
        .file_extension in ('tar', 'iso', 'img', 'cab', 'gadget', 'uue')
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

Tags

Attack surface reduction

Raw Content

name: "Attachment: Uncommon compressed file"
description: |
  Use if passing compressed or archive files is not typical behavior in your 
  organization. This behavior has been observed in a number of phishing campaigns.
references:
  - "https://www.intezer.com/blog/research/global-phishing-campaign-targets-energy-sector-and-its-suppliers/"
  - "https://filesec.io/"
type: "rule"
severity: "low"
source: |
  type.inbound
  and any(attachments,
          .file_extension in ('tar', 'iso', 'img', 'cab', 'gadget', 'uue')
  )
tags:
  - "Attack surface reduction"
attack_types:
  - "Malware/Ransomware"
  - "Credential Phishing"
detection_methods:
  - "Archive analysis"
  - "File analysis"
id: "0c6fba7a-b8a9-5491-a32c-411882e10c79"