EXPLORE
← Back to Explore
sublimemediumRule

Attachment: DOCX with malicious document template artifacts

Detects inbound messages containing DOCX attachments with artifacts associated with malicious document templates.

MITRE ATT&CK

defense-evasionexecution

Detection Query

type.inbound
and any(filter(attachments, .file_type == "docx"),
        any(file.explode(.),
            any(.scan.yara.matches,
                .name in ("malicious_docx_document_template_artifacts")
            )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: DOCX with malicious document template artifacts"
description: "Detects inbound messages containing DOCX attachments with artifacts associated with malicious document templates."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(filter(attachments, .file_type == "docx"),
          any(file.explode(.),
              any(.scan.yara.matches,
                  .name in ("malicious_docx_document_template_artifacts")
              )
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Exploit"
detection_methods:
  - "File analysis"
  - "YARA"
id: "add997e7-b313-5746-a60f-b61e60eb3915"