← Back to Explore
sublimemediumRule
Link to auto-download of a suspicious file type (unsolicited)
A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA. Recursively explodes auto-downloaded files within archives to detect these file types. This rule also catches direct Google Drive download links (drive.google.com/uc?export=download) that automatically download archive files, as these are frequently abused by threat actors to distribute malware. This technique has been used by known threat actors in the wild.
Detection Query
type.inbound
and any(body.links,
// Detect suspicious direct Google Drive downloads
(
strings.icontains(.href_url.url, "drive.google.com/uc")
and strings.icontains(.href_url.url, "export=download")
and any(ml.link_analysis(., mode="aggressive").files_downloaded,
.file_extension in $file_extensions_common_archives
)
)
or any(ml.link_analysis(.).files_downloaded,
// call parse_exif to see if there is a sus file
any(beta.parse_exif(.).fields,
.key == "ArchivedFileName"
and strings.ilike(.value,
"*.dll",
"*.html",
"*.exe",
"*.lnk",
"*.js",
"*.vba",
"*.vbs",
"*.vbe",
"*.bat"
)
)
or any(file.explode(.),
(
// look for files in encrypted zips.
// if password cracking the zip wasn't
// successful, our only opportunity to look
// for suspicious file types is here under
// .zip.attempted_files
"encrypted_zip" in .flavors.yara
and any(.scan.zip.attempted_files,
strings.ilike(.,
"*.dll",
"*.html",
"*.exe",
"*.lnk",
"*.js",
"*.vba",
"*.vbs",
"*.vbe",
"*.bat"
)
)
)
// for both non-encrypted zips and encrypted zips
// that were successfully cracked
or .file_extension in (
"dll",
"exe",
"html",
"lnk",
"js",
"vba",
"vbs",
"vbe",
"bat"
)
or strings.ilike(.file_name, "*.exe")
or (
.file_extension not in ("dll", "exe")
and (
.flavors.mime in ("application/x-dosexec")
or any(.flavors.yara, . in ('mz_file'))
)
)
or any(.flavors.yara, . == "macho_file")
)
and not (
ml.link_analysis(..).effective_url.domain.root_domain == "zoom.us"
and .file_extension == "exe"
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Link to auto-download of a suspicious file type (unsolicited)"
description: |
A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
Recursively explodes auto-downloaded files within archives to detect these file types.
This rule also catches direct Google Drive download links (drive.google.com/uc?export=download) that automatically download archive files, as these are frequently abused by threat actors to distribute malware.
This technique has been used by known threat actors in the wild.
type: "rule"
references:
- "https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/"
- "https://twitter.com/MsftSecIntel/status/1418706920152522753"
- "https://sandbox.sublimesecurity.com?id=e586c888-4426-41dd-a1be-5a13852075ef"
severity: "medium"
source: |
type.inbound
and any(body.links,
// Detect suspicious direct Google Drive downloads
(
strings.icontains(.href_url.url, "drive.google.com/uc")
and strings.icontains(.href_url.url, "export=download")
and any(ml.link_analysis(., mode="aggressive").files_downloaded,
.file_extension in $file_extensions_common_archives
)
)
or any(ml.link_analysis(.).files_downloaded,
// call parse_exif to see if there is a sus file
any(beta.parse_exif(.).fields,
.key == "ArchivedFileName"
and strings.ilike(.value,
"*.dll",
"*.html",
"*.exe",
"*.lnk",
"*.js",
"*.vba",
"*.vbs",
"*.vbe",
"*.bat"
)
)
or any(file.explode(.),
(
// look for files in encrypted zips.
// if password cracking the zip wasn't
// successful, our only opportunity to look
// for suspicious file types is here under
// .zip.attempted_files
"encrypted_zip" in .flavors.yara
and any(.scan.zip.attempted_files,
strings.ilike(.,
"*.dll",
"*.html",
"*.exe",
"*.lnk",
"*.js",
"*.vba",
"*.vbs",
"*.vbe",
"*.bat"
)
)
)
// for both non-encrypted zips and encrypted zips
// that were successfully cracked
or .file_extension in (
"dll",
"exe",
"html",
"lnk",
"js",
"vba",
"vbs",
"vbe",
"bat"
)
or strings.ilike(.file_name, "*.exe")
or (
.file_extension not in ("dll", "exe")
and (
.flavors.mime in ("application/x-dosexec")
or any(.flavors.yara, . in ('mz_file'))
)
)
or any(.flavors.yara, . == "macho_file")
)
and not (
ml.link_analysis(..).effective_url.domain.root_domain == "zoom.us"
and .file_extension == "exe"
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Encryption"
- "Evasion"
- "LNK"
- "Social engineering"
detection_methods:
- "Archive analysis"
- "File analysis"
- "Sender analysis"
- "URL analysis"
- "YARA"
id: "67ae2152-ac52-52d4-bec2-6bbc4a488df9"