← Back to Explore
sublimemediumRule
Attachment: DOCX with hyperlink targeting recipient address
Detects DOCX attachments containing hyperlinks with anchor references that match recipient email addresses. This technique is commonly used to personalize malicious documents and evade detection.
Detection Query
type.inbound
and any(filter(attachments, .file_extension in ('docx', 'docm')),
any(filter(file.explode(.),
strings.icontains(.scan.strings.raw, '<w:hyperlink')
),
any(regex.iextract(.scan.strings.raw,
'<w:hyperlink[^\>]*w:anchor="(?P<email_address>[^\"]+)"'
),
.named_groups["email_address"] == recipients.to[0].email.email
or any(strings.scan_base64(.named_groups["email_address"],
ignore_padding=true
),
strings.icontains(., recipients.to[0].email.email)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: DOCX with hyperlink targeting recipient address"
description: "Detects DOCX attachments containing hyperlinks with anchor references that match recipient email addresses. This technique is commonly used to personalize malicious documents and evade detection."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(filter(attachments, .file_extension in ('docx', 'docm')),
any(filter(file.explode(.),
strings.icontains(.scan.strings.raw, '<w:hyperlink')
),
any(regex.iextract(.scan.strings.raw,
'<w:hyperlink[^\>]*w:anchor="(?P<email_address>[^\"]+)"'
),
.named_groups["email_address"] == recipients.to[0].email.email
or any(strings.scan_base64(.named_groups["email_address"],
ignore_padding=true
),
strings.icontains(., recipients.to[0].email.email)
)
)
)
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "File analysis"
- "Archive analysis"
- "XML analysis"
id: "9ec8fa49-bda9-5e8f-876f-1e53a46d83ca"