← Back to Explore
sublimemediumRule
Attachment: DOCX with malicious document template artifacts
Detects inbound messages containing DOCX attachments with artifacts associated with malicious document templates.
Detection Query
type.inbound
and any(filter(attachments, .file_type == "docx"),
any(file.explode(.),
any(.scan.yara.matches,
.name in ("malicious_docx_document_template_artifacts")
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: DOCX with malicious document template artifacts"
description: "Detects inbound messages containing DOCX attachments with artifacts associated with malicious document templates."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(filter(attachments, .file_type == "docx"),
any(file.explode(.),
any(.scan.yara.matches,
.name in ("malicious_docx_document_template_artifacts")
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Exploit"
detection_methods:
- "File analysis"
- "YARA"
id: "add997e7-b313-5746-a60f-b61e60eb3915"