EXPLORE
Sign In
← Back to Explore
sublimehighRule

Attachment: OLE external relationship containing file scheme link to IP address

This rule identifies attachments containing file scheme links pointing to IP Addresses, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software. The rule negates firing on IP addresses governed by RFC1918 or privately allocated space.

MITRE ATT&CK

T1566.001T1204.002T1486T1036T1027
defense-evasion

Detection Query

type.inbound
and any(attachments,
        (
          .file_extension in~ $file_extensions_macros
          or .file_extension in~ $file_extensions_common_archives
          or (
            .file_extension is null
            and .file_type == "unknown"
            and .content_type == "application/octet-stream"
            and .size < 100000000
          )
        )
        and any(file.oletools(.).relationships,
                .target_url.scheme == "file"
                and regex.contains(.target_url.path,
                                   '([0-9]{2,3}\.){3}[0-9]{2,3}'
                )
                and not regex.icontains(.target_url.path,
                                        '(10\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5]))|(172\.(?:1[6-9]|2\d|3[0-1])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5]))|(192\.168\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5]))'
                )
        )
)
and (
  not profile.by_sender().any_messages_benign
  or profile.by_sender().any_messages_malicious_or_spam
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Attachment: OLE external relationship containing file scheme link to IP address"
description: "This rule identifies attachments containing file scheme links pointing to IP Addresses, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software. The rule negates firing on IP addresses governed by RFC1918 or privately allocated space. "
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          (
            .file_extension in~ $file_extensions_macros
            or .file_extension in~ $file_extensions_common_archives
            or (
              .file_extension is null
              and .file_type == "unknown"
              and .content_type == "application/octet-stream"
              and .size < 100000000
            )
          )
          and any(file.oletools(.).relationships,
                  .target_url.scheme == "file"
                  and regex.contains(.target_url.path,
                                     '([0-9]{2,3}\.){3}[0-9]{2,3}'
                  )
                  and not regex.icontains(.target_url.path,
                                          '(10\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5]))|(172\.(?:1[6-9]|2\d|3[0-1])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5]))|(192\.168\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5]))'
                  )
          )
  )
  and (
    not profile.by_sender().any_messages_benign
    or profile.by_sender().any_messages_malicious_or_spam
  )
tags:
  - "Attack surface reduction"
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Archive analysis"
  - "Content analysis"
  - "OLE analysis"
  - "Sender analysis"

id: "3aab998c-00a6-5c10-b482-094db7140e52"