Email Attachments With Lots Of Spaces

name: Email Attachments With Lots Of Spaces
id: 56e877a6-1455-4479-ada6-0550dc1e22f8
version: 10
date: '2026-03-25'
author: David Dorsey, Splunk
status: experimental
type: Anomaly
description: The following analytic detects email attachments with an unusually high number of spaces in their file names, which is a common tactic used by attackers to obfuscate file extensions. It leverages the Email data model to identify attachments where the ratio of spaces to the total file name length exceeds 10%. This behavior is significant as it may indicate an attempt to bypass security filters and deliver malicious payloads. If confirmed malicious, this activity could lead to the execution of harmful code or unauthorized access to sensitive information within the recipient's environment.
data_source: []
search: |-
    | tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime FROM datamodel=Email
      WHERE All_Email.file_name="*"
      BY All_Email.src_user, All_Email.file_name All_Email.message_id
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `drop_dm_object_name("All_Email")`
    | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name)
    | search space_ratio >= 0.1
    | rex field=recipient_address "(?<recipient_user>.*)@"
    | `email_attachments_with_lots_of_spaces_filter`
how_to_implement: "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment.\n**Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in your environment, a playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The finding based event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox."
known_false_positives: No false positives have been identified at this time.
references: []
rba:
    message: Abnormal number of spaces present in attachment filename from $src_user$
    risk_objects:
        - field: src_user
          type: user
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Data Destruction
        - Emotet Malware DHS Report TA18-201A
        - Hermetic Wiper
        - Suspicious Emails
    asset_type: Endpoint
    mitre_attack_id:
        - T1566.001
        - T1036.008
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network