Attachment: Office file with suspicious function calls or downloaded file path

name: "Attachment: Office file with suspicious function calls or downloaded file path"
description: "Attached Office file contains suspicious function calls or known malicious file path pattern."
references:
  - "https://app.docguard.io/c3e75d7a32a4959724f24c1004724951482cd732db7d287989c873c09166ff95/c3036de5-89b1-49c6-9681-706f5b9af264/0/results/dashboard"
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          (
            // office files
            .file_extension in~ $file_extensions_macros
            or .file_extension in~ $file_extensions_common_archives
            or (
              .file_extension is null
              and .file_type == "unknown"
              and .content_type == "application/octet-stream"
              and .size < 100000
            )
          )
          and (
            any(file.explode(.),
                (
                  any(.scan.strings.strings,
                      strings.ilike(., '*URLDownloadToFile*')
                  )
                  and any(.scan.strings.strings, strings.ilike(., '*Auto_Open*'))
                )
                or any(.scan.strings.strings,
                       regex.icontains(.,
                                       'C:\\[A-Za-z]{7}\\[A-Za-z]{7}\\[A-Za-z]{7}'
                       )
                )
            )
          )
  )
  and (
    (
      profile.by_sender().prevalence in ("new", "outlier")
      and not profile.by_sender().solicited
    )
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  and not profile.by_sender().any_messages_benign
tags:
  - "Attack surface reduction"
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Scripting"
detection_methods:
  - "Archive analysis"
  - "File analysis"
id: "4c78b969-9df8-59e1-8f65-43afdb06c817"