← Back to Explore
sublimehighRule
Attachment: TAR file with RAR type
Detects messages with TAR file extensions that are actually RAR file types. This mismatch between file extension and actual file type may indicate an evasion technique.
Detection Query
type.inbound
and any(attachments, .file_extension =~ "tar" and .file_type =~ "rar")
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: TAR file with RAR type"
description: "Detects messages with TAR file extensions that are actually RAR file types. This mismatch between file extension and actual file type may indicate an evasion technique."
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments, .file_extension =~ "tar" and .file_type =~ "rar")
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Archive analysis"
- "File analysis"
id: "364a0ea6-8011-5de2-b4c5-5eff8134037a"