← Back to Explore
sublimemediumRule
Attachment: Office document loads remote document template
Recursively scans archives and Office documents to detect remote document template injection.
Detection Query
type.inbound
and any(attachments,
(
(
// office files
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
.flavors.mime == "text/xml"
and any(.scan.strings.strings,
regex.icontains(., "Target.{0,20}http.{0,200}dotm")
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Attachment: Office document loads remote document template"
description: |
Recursively scans archives and Office documents to detect remote document template injection.
references:
- "https://delivr.to/payloads?id=c7a7195e-0de3-428d-a32c-5fd59a3012da"
type: "rule"
severity: "medium"
source: |
type.inbound
and any(attachments,
(
(
// office files
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
.flavors.mime == "text/xml"
and any(.scan.strings.strings,
regex.icontains(., "Target.{0,20}http.{0,200}dotm")
)
)
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Malware/Ransomware"
detection_methods:
- "Archive analysis"
- "File analysis"
- "URL analysis"
id: "d9601104-c330-5995-9fae-4d30b969c081"