EXPLORE
← Back to Explore
sublimemediumRule

Attachment: Malicious zip file matching zipline campaign

Detects inbound ZIP attachments containing content that matches observed artifacts from a ZipLine campaign reported on by Telekom Security.

Detection Query

type.inbound
and any(filter(attachments, .file_type == "zip"),
        any(file.explode(.),
            any(.scan.yara.matches, .name in ("zipline_delivery_telekom"))
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: Malicious zip file matching zipline campaign"
description: "Detects inbound ZIP attachments containing content that matches observed artifacts from a ZipLine campaign reported on by Telekom Security."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(filter(attachments, .file_type == "zip"),
          any(file.explode(.),
              any(.scan.yara.matches, .name in ("zipline_delivery_telekom"))
          )
  )
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "LNK"
detection_methods:
  - "Archive analysis"
  - "YARA"
  - "Content analysis"
  - "Threat intelligence"
id: "ca3e4844-2c3a-50de-86f0-f5ddee14524b"