sublimemediumRule

Attachment: ZIP file with CVE-2026-0866 exploit

Detects ZIP attachments containing exploits targeting CVE-2026-0866 vulnerability through YARA signature matching.

MITRE ATT&CK

T1566.001 T1204.002 T1486 T1190 T1203 T1036 T1027

executiondefense-evasion

Detection Query

any(filter(attachments, .file_type == "zip"),
    any(file.explode(.),
        any(.scan.yara.matches, .name in ("zip_cve_2026_0866"))
    )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: ZIP file with CVE-2026-0866 exploit"
description: "Detects ZIP attachments containing exploits targeting CVE-2026-0866 vulnerability through YARA signature matching."
type: "rule"
severity: "medium"
source: |
  any(filter(attachments, .file_type == "zip"),
      any(file.explode(.),
          any(.scan.yara.matches, .name in ("zip_cve_2026_0866"))
      )
  )
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Exploit"
  - "Evasion"
detection_methods:
  - "Archive analysis"
  - "File analysis"
  - "YARA"
id: "88ef27ac-8996-5c45-bfa5-b8222126df22"