← Back to Explore
sublimelowRule
Attachment: Archive containing disallowed file type
Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives. Attackers often embed malicious files within archives to bypass email gateway controls.
Detection Query
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_common_archives
or .file_type == "rar"
)
and any(file.explode(.),
.file_extension in~ (
// File types blocked by Gmail by default
// https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments
"ade",
"adp",
"apk",
"appx",
"appxbundle",
"bat",
"cab",
"chm",
"cmd",
"com",
"cpl",
"dll",
"dmg",
"ex",
"ex_",
"exe",
"hta",
"ins",
"isp",
"iso",
"jar",
"js",
"jse",
"lib",
"lnk",
"mde",
"msc",
"msi",
"msix",
"msixbundle",
"msp",
"mst",
"nsh",
"pif",
"ps1",
"scr",
"sct",
"shb",
"sys",
"vb",
"vbe",
"vbs",
"vxd",
"wsc",
"wsf",
"wsh",
// File types blocked by Microsoft 365 by default
// https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519
"ade",
"adp",
"app",
"application",
"appref-ms",
"asp",
"aspx",
"asx",
// "bas", excluded at depth > 1 because they can exist natively in word docs within an archive. see below
"bat",
"bgi",
"cab",
// "cer",
"chm",
"cmd",
"cnt",
"com",
"cpl",
// "crt",
// "csh",
// "der",
"diagcab",
"exe",
"fxp",
"gadget",
// "grp",
"hlp",
"hpj",
"hta",
"htc",
// "inf",
"ins",
"iso",
"isp",
"its",
"jar",
"jnlp",
"js",
"jse",
"ksh",
"lnk",
"mad",
"maf",
"mag",
"mam",
"maq",
"mar",
"mas",
"mat",
"mau",
"mav",
"maw",
"mcf",
"mda",
// "mdb",
"mde",
"mdt",
"mdw",
"mdz",
"msc",
"msh",
"msh1",
"msh2",
"mshxml",
"msh1xml",
"msh2xml",
"msi",
"msp",
"mst",
"msu",
"ops",
"osd",
"pcd",
"pif",
"pl",
"plg",
"prf",
"prg",
"printerexport",
"ps1",
"ps1xml",
"ps2",
"ps2xml",
"psc1",
"psc2",
"psd1",
"psdm1",
"pst",
// "py",
// "pyc",
"pyo",
"pyw",
"pyz",
"pyzw",
"reg",
"scf",
"scr",
"sct",
"shb",
"shs",
"theme",
// "tmp",
"url",
"vb",
"vbe",
"vbp",
"vbs",
"vhd",
"vhdx",
"vsmacros",
"vsw",
"webpnp",
"website",
"ws",
"wsc",
"wsf",
"wsh",
"xbap",
"xll",
"xnk"
)
or (
// BASIC files can naturally occur in word docs,
// so only flag if depth is 1 (archive -> bas, not archive -> doc -> bas)
.depth == 1
and .file_extension =~ "bas"
)
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Attack surface reduction
Raw Content
name: "Attachment: Archive containing disallowed file type"
description: |
Recursively scans archives to detect disallowed file types. File extensions can be detected
within password-protected archives.
Attackers often embed malicious files within archives to bypass email gateway controls.
references:
- "https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments"
- "https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519"
type: "rule"
severity: "low"
source: |
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_common_archives
or .file_type == "rar"
)
and any(file.explode(.),
.file_extension in~ (
// File types blocked by Gmail by default
// https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments
"ade",
"adp",
"apk",
"appx",
"appxbundle",
"bat",
"cab",
"chm",
"cmd",
"com",
"cpl",
"dll",
"dmg",
"ex",
"ex_",
"exe",
"hta",
"ins",
"isp",
"iso",
"jar",
"js",
"jse",
"lib",
"lnk",
"mde",
"msc",
"msi",
"msix",
"msixbundle",
"msp",
"mst",
"nsh",
"pif",
"ps1",
"scr",
"sct",
"shb",
"sys",
"vb",
"vbe",
"vbs",
"vxd",
"wsc",
"wsf",
"wsh",
// File types blocked by Microsoft 365 by default
// https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519
"ade",
"adp",
"app",
"application",
"appref-ms",
"asp",
"aspx",
"asx",
// "bas", excluded at depth > 1 because they can exist natively in word docs within an archive. see below
"bat",
"bgi",
"cab",
// "cer",
"chm",
"cmd",
"cnt",
"com",
"cpl",
// "crt",
// "csh",
// "der",
"diagcab",
"exe",
"fxp",
"gadget",
// "grp",
"hlp",
"hpj",
"hta",
"htc",
// "inf",
"ins",
"iso",
"isp",
"its",
"jar",
"jnlp",
"js",
"jse",
"ksh",
"lnk",
"mad",
"maf",
"mag",
"mam",
"maq",
"mar",
"mas",
"mat",
"mau",
"mav",
"maw",
"mcf",
"mda",
// "mdb",
"mde",
"mdt",
"mdw",
"mdz",
"msc",
"msh",
"msh1",
"msh2",
"mshxml",
"msh1xml",
"msh2xml",
"msi",
"msp",
"mst",
"msu",
"ops",
"osd",
"pcd",
"pif",
"pl",
"plg",
"prf",
"prg",
"printerexport",
"ps1",
"ps1xml",
"ps2",
"ps2xml",
"psc1",
"psc2",
"psd1",
"psdm1",
"pst",
// "py",
// "pyc",
"pyo",
"pyw",
"pyz",
"pyzw",
"reg",
"scf",
"scr",
"sct",
"shb",
"shs",
"theme",
// "tmp",
"url",
"vb",
"vbe",
"vbp",
"vbs",
"vhd",
"vhdx",
"vsmacros",
"vsw",
"webpnp",
"website",
"ws",
"wsc",
"wsf",
"wsh",
"xbap",
"xll",
"xnk"
)
or (
// BASIC files can naturally occur in word docs,
// so only flag if depth is 1 (archive -> bas, not archive -> doc -> bas)
.depth == 1
and .file_extension =~ "bas"
)
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
tags:
- "Attack surface reduction"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Archive analysis"
- "File analysis"
id: "3859e3e7-51c9-5259-9b7d-f8c0957696c0"