← Back to Explore
sublimehighRule
Attachment: WinRAR CVE-2025-8088 exploitation
Detects attempts to exploit CVE-2025-8088 via attached RAR files
Detection Query
type.inbound
and any(attachments,
// its a rar file
(
.content_type == "application/x-rar-compressed"
or .file_extension == "rar"
or .file_type == "rar"
)
// less than 10 meg
and .size < 10000000
// explode it
and any(file.explode(.),
// contains a yara match
any(.scan.yara.matches, .name == "WinRAR_CVE_2025_8088")
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: WinRAR CVE-2025-8088 exploitation"
description: |
Detects attempts to exploit CVE-2025-8088 via attached RAR files
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
// its a rar file
(
.content_type == "application/x-rar-compressed"
or .file_extension == "rar"
or .file_type == "rar"
)
// less than 10 meg
and .size < 10000000
// explode it
and any(file.explode(.),
// contains a yara match
any(.scan.yara.matches, .name == "WinRAR_CVE_2025_8088")
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Exploit"
- "Evasion"
detection_methods:
- "Archive analysis"
- "File analysis"
- "YARA"
id: "33b3a82b-0721-53b8-a5f2-d28e3d791b60"