Attachment: Excel file with document sharing lure created by Go Excelize

name: "Attachment: Excel file with document sharing lure created by Go Excelize"
description: "Detects Excel macro files created with the Go Excelize library containing document sharing language such as 'sent document', 'shared file', or 'REVIEW DOCUMENT'. These files are often used as lures to trick users into enabling macros or downloading malicious content."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(filter(attachments,
                 .file_extension in $file_extensions_macros
                 // limit the size to reduce FPs, the larger the document, the more likely it is for FPs on benign automated reports
                 and .size < 2000000
          ),
          any(file.explode(.),
              // document sharing lure
              (
                length(.scan.strings.raw, ) < 1000
                and regex.icontains(.scan.strings.raw,
                                    '(?:sent|shared|forwarded|provided|invited|received)(?:\s+\w+){0,9}\s+(?:document|file|attachment)',
                )
              )
              or strings.icontains(.scan.strings.raw,
                                   'Please download this spreadsheet or SVG and click'
              )
              or (
                length(.scan.strings.raw) < 500
                and strings.contains(.scan.strings.raw, 'REVIEW DOCUMENT')
              )
          )
          and beta.parse_exif(.).creator == "xuri"
          and any(beta.parse_exif(.).fields,
                  .key == "Application" and .value == "Go Excelize"
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Macros"
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "Macro analysis"
  - "Content analysis"
  - "Exif analysis"
id: "dfaf267f-2d78-56ff-971e-3a2796c24b56"