sublimemediumRule

Encrypted Microsoft Office files from untrusted sender

Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning.

MITRE ATT&CK

T1566.002 T1534 T1656 T1566.003 T1598 T1566 T1566.001 T1486 T1657 T1204.002 T1027 T1573 T1036

defense-evasion

Detection Query

type.inbound
and any(attachments,
        (
          // Word documents
          strings.iends_with(.file_name, ".doc")
          or strings.iends_with(.file_name, ".docx")
          or strings.iends_with(.file_name, ".docm")
          or .content_type == "application/msword"
          or .content_type == "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
          or .file_type in ("doc", "docx")
          or 

          // Excel documents
          strings.iends_with(.file_name, ".xls")
          or strings.iends_with(.file_name, ".xlsx")
          or strings.iends_with(.file_name, ".xlsm")
          or .content_type == "application/vnd.ms-excel"
          or .content_type == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
          or .file_type in ("xls", "xlsx")
          or 

          // PowerPoint documents
          strings.iends_with(.file_name, ".ppt")
          or strings.iends_with(.file_name, ".pptx")
          or strings.iends_with(.file_name, ".pptm")
          or .content_type == "application/vnd.ms-powerpoint"
          or .content_type == "application/vnd.openxmlformats-officedocument.presentationml.presentation"
          or .file_type in ("ppt", "pptx")
          or 

          // Access documents
          strings.iends_with(.file_name, ".accdb")
          or strings.iends_with(.file_name, ".mdb")
          or .content_type == "application/msaccess"
          or .content_type == "application/x-msaccess"
          or .content_type == "application/vnd.ms-access"
        )
        and any(file.explode(.),
                any(.scan.yara.matches, .name == 'aes_encryption_keywords')
        )
)
// Negating high-trust sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Tags

Attack surface reduction

Raw Content

name: "Encrypted Microsoft Office files from untrusted sender"
description: "Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning."
type: "rule"
severity: "medium"
source: |
    type.inbound
    and any(attachments,
            (
              // Word documents
              strings.iends_with(.file_name, ".doc")
              or strings.iends_with(.file_name, ".docx")
              or strings.iends_with(.file_name, ".docm")
              or .content_type == "application/msword"
              or .content_type == "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
              or .file_type in ("doc", "docx")
              or 
    
              // Excel documents
              strings.iends_with(.file_name, ".xls")
              or strings.iends_with(.file_name, ".xlsx")
              or strings.iends_with(.file_name, ".xlsm")
              or .content_type == "application/vnd.ms-excel"
              or .content_type == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
              or .file_type in ("xls", "xlsx")
              or 
    
              // PowerPoint documents
              strings.iends_with(.file_name, ".ppt")
              or strings.iends_with(.file_name, ".pptx")
              or strings.iends_with(.file_name, ".pptm")
              or .content_type == "application/vnd.ms-powerpoint"
              or .content_type == "application/vnd.openxmlformats-officedocument.presentationml.presentation"
              or .file_type in ("ppt", "pptx")
              or 
    
              // Access documents
              strings.iends_with(.file_name, ".accdb")
              or strings.iends_with(.file_name, ".mdb")
              or .content_type == "application/msaccess"
              or .content_type == "application/x-msaccess"
              or .content_type == "application/vnd.ms-access"
            )
            and any(file.explode(.),
                    any(.scan.yara.matches, .name == 'aes_encryption_keywords')
            )
    )
    // Negating high-trust sender domains unless they fail DMARC authentication
    and (
      (
        sender.email.domain.root_domain in $high_trust_sender_root_domains
        and (
          any(distinct(headers.hops, .authentication_results.dmarc is not null),
              strings.ilike(.authentication_results.dmarc, "*fail")
          )
        )
      )
      or sender.email.domain.root_domain not in $high_trust_sender_root_domains
    )
tags:
 - "Attack surface reduction"
attack_types:
  - "BEC/Fraud"
  - "Callback Phishing"
  - "Credential Phishing"
  - "Extortion"
  - "Malware/Ransomware"
  - "Spam"
tactics_and_techniques:
  - "Encryption"
  - "Evasion"
detection_methods:
  - "File analysis"
  - "YARA"
  - "Sender analysis"
id: "eb7b26e7-2e74-5b25-8ecf-7fd401969e03"