sublimemediumRule

Attachment: Macro files containing MHT content

Detects macro-enabled files that contain embedded MHT (MIME HTML) content, which is commonly used to hide malicious code through file format manipulation.

MITRE ATT&CK

T1566.001 T1204.002 T1486 T1566 T1566.002 T1598 T1036 T1027 T1059.005 T1059

defense-evasionexecution

Detection Query

type.inbound
and any(attachments,
        .file_extension in $file_extensions_macros
        and any(file.explode(.),
                .file_extension == "mht"
                and not .flavors.mime == "message/rfc822"
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Tags

Attack surface reduction

Raw Content

name: "Attachment: Macro files containing MHT content"
description: "Detects macro-enabled files that contain embedded MHT (MIME HTML) content, which is commonly used to hide malicious code through file format manipulation."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(attachments,
          .file_extension in $file_extensions_macros
          and any(file.explode(.),
                  .file_extension == "mht"
                  and not .flavors.mime == "message/rfc822"
          )
  )
tags:
 - "Attack surface reduction"
attack_types:
  - "Malware/Ransomware"
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Macros"
  - "Scripting"
detection_methods:
  - "Archive analysis"
  - "File analysis"
  - "Macro analysis"
id: "4d54e40b-b6ad-5e9d-ba5e-588cece0b7a6"