sublimehighRule

Attachment: XLSX file with suspicious print titles metadata

Detects XLSX attachments containing EXIF metadata with suspicious TitlesOfParts fields that follow a specific pattern combining 'Company_Name' with extracted values and 'Print_Titles', potentially indicating malicious document preparation.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027 T1204.002 T1059.005

defense-evasionexecution

Detection Query

type.inbound
and any(filter(attachments, .file_type == "xlsx"),
        // get the TitleOfParts (Excel Docs this is Worksheet names)
        // https://learn.microsoft.com/en-us/openspecs/office_standards/ms-oi29500/de32de14-9573-46f3-9f38-19659e3a8d9a
        any(filter(beta.parse_exif(.).fields, .key == "TitlesOfParts"),
            // extract the first sheet name
            any(regex.iextract(.value, '^\[\"(?P<first_sheet>[^\"]+)\"'),
                // check that the first sheet name is observed in the last sheet name with !print_title and comes after a sheet named "Company_Name"
                strings.ends_with(..value,
                                  strings.concat("Company_Name\",\"",
                                                 .named_groups["first_sheet"],
                                                 '!Print_Titles"]'
                                  )
                )
            )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: XLSX file with suspicious print titles metadata"
description: "Detects XLSX attachments containing EXIF metadata with suspicious TitlesOfParts fields that follow a specific pattern combining 'Company_Name' with extracted values and 'Print_Titles', potentially indicating malicious document preparation."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(filter(attachments, .file_type == "xlsx"),
          // get the TitleOfParts (Excel Docs this is Worksheet names)
          // https://learn.microsoft.com/en-us/openspecs/office_standards/ms-oi29500/de32de14-9573-46f3-9f38-19659e3a8d9a
          any(filter(beta.parse_exif(.).fields, .key == "TitlesOfParts"),
              // extract the first sheet name
              any(regex.iextract(.value, '^\[\"(?P<first_sheet>[^\"]+)\"'),
                  // check that the first sheet name is observed in the last sheet name with !print_title and comes after a sheet named "Company_Name"
                  strings.ends_with(..value,
                                    strings.concat("Company_Name\",\"",
                                                   .named_groups["first_sheet"],
                                                   '!Print_Titles"]'
                                    )
                  )
              )
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Macros"
detection_methods:
  - "File analysis"
  - "Exif analysis"
id: "4c265cbe-bb77-5851-bbf5-1543afca1750"