← Back to Explore
sublimeRule
Attachment: Suspicious VBA macro
Detects any VBA macro attachment that scores above a low confidence threshold in the Sublime Macro Classifier.
Detection Query
type.inbound
and any(attachments,
.file_extension in~ (
"doc",
"docm",
"docx",
"dot",
"dotm",
"pptm",
"ppsm",
"xlm",
"xls",
"xlsb",
"xlsm",
"xlt",
"xltm"
)
and ml.macro_classifier(.).malicious
and ml.macro_classifier(.).confidence in ("low", "medium", "high")
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Suspicious attachmentMacrosMachine learning
Raw Content
name: "Attachment: Suspicious VBA macro"
description: |
Detects any VBA macro attachment that scores above a low confidence threshold in the Sublime Macro Classifier.
type: "rule"
source: |
type.inbound
and any(attachments,
.file_extension in~ (
"doc",
"docm",
"docx",
"dot",
"dotm",
"pptm",
"ppsm",
"xlm",
"xls",
"xlsb",
"xlsm",
"xlt",
"xltm"
)
and ml.macro_classifier(.).malicious
and ml.macro_classifier(.).confidence in ("low", "medium", "high")
)
tags:
- "Suspicious attachment"
- "Macros"
- "Machine learning"