← Back to Explore
sublimemediumRule
Attachment: Encrypted ZIP containing VHDX file
Detects ZIP attachments that are encrypted and contain VHDX files, which may be used to bypass security controls or deliver malicious payloads.
Detection Query
type.inbound
and any(filter(attachments, .file_type == "zip"),
any(file.explode(.),
.scan.zip.encrypted == true
and any(.scan.zip.all_paths, strings.ends_with(., "vhdx"))
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Encrypted ZIP containing VHDX file"
description: "Detects ZIP attachments that are encrypted and contain VHDX files, which may be used to bypass security controls or deliver malicious payloads."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(filter(attachments, .file_type == "zip"),
any(file.explode(.),
.scan.zip.encrypted == true
and any(.scan.zip.all_paths, strings.ends_with(., "vhdx"))
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Encryption"
- "Evasion"
detection_methods:
- "Archive analysis"
- "File analysis"
id: "bf477bfc-e1e4-5182-9ff8-9134c4378098"