← Back to Explore
sublimehighRule
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.
Detection Query
type.inbound
and any(attachments,
(
.file_extension in~ ("rtf", "doc", "docx")
or .file_extension in~ $file_extensions_common_archives
or .file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
any(.scan.strings.strings, strings.ilike(., '*\fonttbl*'))
and length(filter(.scan.strings.strings,
strings.ilike(., '{\f*;}')
)
) > 10000
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability"
description: |
Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.
references:
- "https://delivr.to/payloads?id=0a465e03-82a7-42c1-9ded-b0b6b046c86d"
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716"
- "https://twitter.com/jduck/status/1632471544935923712"
- "https://github.com/gyaansastra/CVE-2023-21716"
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_extension in~ ("rtf", "doc", "docx")
or .file_extension in~ $file_extensions_common_archives
or .file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
any(.scan.strings.strings, strings.ilike(., '*\fonttbl*'))
and length(filter(.scan.strings.strings,
strings.ilike(., '{\f*;}')
)
) > 10000
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Exploit"
detection_methods:
- "Content analysis"
- "File analysis"
id: "23714cca-f0c6-5fa5-a68b-98c9d60a508d"