← Back to Explore
sublimehighRule
Attachment: Excel Web Query File (IQY)
Recursively scans files and archives to detect IQY files. Coercing a target user into providing credentials to an attacker-controlled web server, or for SMB relaying.
Detection Query
type.inbound
and (
any(attachments, .file_extension =~ "iqy")
or (
any(attachments,
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .file_extension =~ "iqy")
)
)
)
Author
jkcoote
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Attachment: Excel Web Query File (IQY)"
description: |
Recursively scans files and archives to detect IQY files.
Coercing a target user into providing credentials to an attacker-controlled web server, or for SMB relaying.
references:
- "http://www.labofapenetrationtester.com/2015/08/abusing-web-query-iqy-files.html"
- "https://delivr.to/payloads?id=c8c6c2dd-f882-48c1-9d3c-d338c45f95fe"
type: "rule"
authors:
- twitter: "jkcoote"
severity: "high"
source: |
type.inbound
and (
any(attachments, .file_extension =~ "iqy")
or (
any(attachments,
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .file_extension =~ "iqy")
)
)
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Archive analysis"
- "File analysis"
id: "510412b5-1926-538f-a510-d796ecd2dc2d"