← Back to Explore
sublimelowRule
Attachment: EML with Encrypted ZIP
Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content.
Detection Query
type.inbound
// attached EML
and any(filter(attachments,
.content_type == "message/rfc822" or .file_extension in ('eml')
),
// Attached EML contains a ZIP file
any(filter(file.parse_eml(.).attachments,
.file_type == "zip" or .file_extension == "zip"
),
// ZIP file is encrypted
any(file.explode(.),
any(.flavors.yara, . == 'encrypted_zip') or .scan.zip.encrypted
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Attachment: EML with Encrypted ZIP"
description: "Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content."
type: "rule"
severity: "low"
source: |
type.inbound
// attached EML
and any(filter(attachments,
.content_type == "message/rfc822" or .file_extension in ('eml')
),
// Attached EML contains a ZIP file
any(filter(file.parse_eml(.).attachments,
.file_type == "zip" or .file_extension == "zip"
),
// ZIP file is encrypted
any(file.explode(.),
any(.flavors.yara, . == 'encrypted_zip') or .scan.zip.encrypted
)
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Encryption"
- "Evasion"
detection_methods:
- "Archive analysis"
- "File analysis"
- "YARA"
id: "6897a8f7-da66-52ed-a39e-d8c643e78fe9"