EXPLORE DETECTIONS
Attachment: .csproj with suspicious commands
Attached .csproj file contains suspicious commands.
Attachment: 7z Archive Containing RAR File
Detects 7z archive attachments that contain RAR files, which may be used to evade detection by nesting compressed file formats.
Attachment: Adobe image lure in body or attachment with suspicious link
Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.
Attachment: Any .sap file (unsolicited)
SAP shortcut files can be abused to run unsanctioned code on endpoints. Use if receiving .sap files is not normal behavior in your environment.
Attachment: Any EML file
Any EML attachment. This rule can be combined with a webhook action for further analysis of attached EML files, eg via the analysis API.
Attachment: Any HTML file (unsolicited)
Potential HTML smuggling attacks in unsolicited messages. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.
Attachment: Any HTML file (untrusted sender)
Potential HTML smuggling attacks from new senders. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.
Attachment: Any HTML file within archive (unsolicited)
Recursively scans archives to detect HTML files from unsolicited senders. HTML files can be used for HTML smuggling and embedded in archives to evade detection.
Attachment: Archive containing disallowed file type
Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives. Attackers often embed malicious files within archives to bypass email gateway controls.
Attachment: Archive containing HTML file with file scheme link
Attached archive contains an HTML file with a file:// link, likely pointing to an SMB server. This technique can be used to steal NTLM hashes of users who open the HTML file. Known technique of TA577.
Attachment: Archive contains DLL-loading macro
An attacker could send a trusted and signed document that references an untrusted DLL file, which will be loaded by the signed document.
Attachment: Archive with embedded CHM file
Recursively scans files and archives to detect embedded CHM (Microsoft Compiled HTML Help) files. According to CERT-UA, on March 7, 2022, phishing attacks targeted state organizations of Ukraine using Zip files with embedded CHM documents, which themselves contained malicious VBScript inside a .htm file. The activity is associated with UNC1151, according to CERT-UA.
Attachment: Archive with embedded EXE file
Recursively scans files and archives to detect embedded EXE files (with an MZ header). According to The Record, on June 7, 2021, the Ukrainian Secret Service attributed an attack that used this technique to the "special services of the Russian Federation". The spear-phishing operation urged recipients to download a RAR archive included in the email, which, when decompressed, would drop an EXE file with a double extension (filename.pdf.exe) that tried to pass as a PDF file.
Attachment: Archive with pdf, txt and wsf files
Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1
Attachment: Base64 encoded bash command in filename
This rule detects a fileless attack technique where a malicious payload is encoded directly into a filename. This technique is used by threats like VShell. The rule is designed to find these malicious filenames both in direct attachments and within archived files (like .zip, .rar, etc.).
Attachment: Calendar file with invisible Unicode characters
Detects calendar (.ics) attachments containing suspicious invisible Unicode characters, which may be used to hide malicious content or bypass security filters. The rule triggers on messages with calendar-related keywords in the subject or body.
Attachment: Calendar invite from recently registered domain
Detects calendar invites (.ics files) from organizers using domains registered within the last 90 days, which may indicate suspicious or malicious calendar invitations.
Attachment: Calendar invite with Google redirect and invoice request
Detects calendar file attachments containing Google redirect URLs in the location field combined with invoice-related language in the message body.
Attachment: Calendar invite with suspicious link leading to an open redirect
Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect.
Attachment: Callback phishing solicitation via image file
A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Attachment: Callback phishing solicitation via pdf file
A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Attachment: Callback phishing solicitation via text-based file
Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.
Attachment: cmd file extension
Detects messages containing CMD (Command Prompt) batch files, either as direct attachments or within compressed archives. CMD files can execute arbitrary system commands and are commonly used to deliver malware or perform unauthorized system modifications.
Attachment: Cold outreach with invitation subject and not attachment
Detects inbound messages with invitation-related subjects that request recipients to view attachments, contain no links, and are classified as B2B cold outreach with high confidence. Messages either have no attachments or contain a single image attachment.