EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Attachment: Encrypted zip file with payment-related lure

Detects messages containing zip file attachments with payment-themed content that reference encrypted files, passwords, and payment details. The rule looks for specific patterns indicating the attachment is encrypted and contains payment-related information, commonly used to evade security scanning by requiring manual extraction.

MITRE ATT&CK

T1566.002T1534T1656T1566.001T1204.002T1486T1027T1573T1036T1566T1598
defense-evasioninitial-access

Detection Query

type.inbound
and length(attachments) > 0
// 3 instances of zip/encrypted/payment information
and 3 of (
  regex.icontains(body.current_thread.text, 'zip file.{1,50}encrypted'),
  regex.icontains(body.current_thread.text, 'attachment.{1,30}encrypted'),
  regex.icontains(body.current_thread.text,
                  'password.{1,5}is.{1,5}[A-Z0-9]{8,}'
  ),
  regex.icontains(body.current_thread.text,
                  'details.{1,20}payment.{1,30}attach'
  ),
  strings.icontains(subject.subject, "you have received"),
  strings.icontains(subject.subject, "new debit"),
  strings.icontains(subject.subject, "payment confirmation"),
  strings.icontains(subject.subject, "invoice attached")
)
and (
  // one attachment included and the file is a zip
  attachments[0].file_extension == "zip"
  and (
    regex.icontains(attachments[0].file_name,
                    'payment|invoice|receipt|document|bank'
    )
    // long uppercase passwords
    or regex.contains(body.current_thread.text, '[A-Z]{10,}')
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: Encrypted zip file with payment-related lure"
description: "Detects messages containing zip file attachments with payment-themed content that reference encrypted files, passwords, and payment details. The rule looks for specific patterns indicating the attachment is encrypted and contains payment-related information, commonly used to evade security scanning by requiring manual extraction."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(attachments) > 0
  // 3 instances of zip/encrypted/payment information
  and 3 of (
    regex.icontains(body.current_thread.text, 'zip file.{1,50}encrypted'),
    regex.icontains(body.current_thread.text, 'attachment.{1,30}encrypted'),
    regex.icontains(body.current_thread.text,
                    'password.{1,5}is.{1,5}[A-Z0-9]{8,}'
    ),
    regex.icontains(body.current_thread.text,
                    'details.{1,20}payment.{1,30}attach'
    ),
    strings.icontains(subject.subject, "you have received"),
    strings.icontains(subject.subject, "new debit"),
    strings.icontains(subject.subject, "payment confirmation"),
    strings.icontains(subject.subject, "invoice attached")
  )
  and (
    // one attachment included and the file is a zip
    attachments[0].file_extension == "zip"
    and (
      regex.icontains(attachments[0].file_name,
                      'payment|invoice|receipt|document|bank'
      )
      // long uppercase passwords
      or regex.contains(body.current_thread.text, '[A-Z]{10,}')
    )
  )

attack_types:
  - "BEC/Fraud"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Encryption"
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Archive analysis"
  - "Content analysis"
  - "File analysis"
id: "5d1eb7af-178b-50a0-85ee-d9eb4ffe4c6c"