sublimehighRule

Attachment: Excel file with suspicious template identifier

Detects Excel attachments containing a specific template identifier (TM16390866) in the EXIF metadata, which may indicate malicious or suspicious document templates being used to distribute harmful content.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027 T1204.002 T1059.005

defense-evasionexecution

Detection Query

type.inbound
and any(attachments,
        .file_type == "xlsx"
        and any(beta.parse_exif(.).fields,
                .key == "Template" and .value == "TM16390866"
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: Excel file with suspicious template identifier"
description: "Detects Excel attachments containing a specific template identifier (TM16390866) in the EXIF metadata, which may indicate malicious or suspicious document templates being used to distribute harmful content."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          .file_type == "xlsx"
          and any(beta.parse_exif(.).fields,
                  .key == "Template" and .value == "TM16390866"
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Macros"
detection_methods:
  - "Exif analysis"
  - "File analysis"
id: "40f84b4b-396b-52e8-8d2c-f30016e4096d"