EXPLORE DETECTIONS
Attachment: EML with suspicious indicators
Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.
Attachment: Emotet heavily padded doc in zip file
Detects a potential Emotet delivery method using padded .doc files that compress into small zip files. Contents may include Red Dawn templates exceeding 500MB.
Attachment: Employment contract update with suspicious file naming
Detects messages containing two attachments where one is a PowerPoint file with suspicious character substitution in the filename ('Empl0yment' using zero instead of 'o') and body text claiming an employment contract has been updated.
Attachment: Encrypted Microsoft Office file (unsolicited)
Encrypted OLE2 (eg Microsoft Office) attachment from an unsolicited sender. Attachment encryption is a common technique used to bypass malware scanning products. Use if receiving encrypted attachments is not normal behavior in your environment.
Attachment: Encrypted PDF with credential theft body
Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.
Attachment: Encrypted ZIP containing VHDX file
Detects ZIP attachments that are encrypted and contain VHDX files, which may be used to bypass security controls or deliver malicious payloads.
Attachment: Encrypted zip file with payment-related lure
Detects messages containing zip file attachments with payment-themed content that reference encrypted files, passwords, and payment details. The rule looks for specific patterns indicating the attachment is encrypted and contains payment-related information, commonly used to evade security scanning by requiring manual extraction.
Attachment: Excel file with document sharing lure created by Go Excelize
Detects Excel macro files created with the Go Excelize library containing document sharing language such as 'sent document', 'shared file', or 'REVIEW DOCUMENT'. These files are often used as lures to trick users into enabling macros or downloading malicious content.
Attachment: Excel file with suspicious template identifier
Detects Excel attachments containing a specific template identifier (TM16390866) in the EXIF metadata, which may indicate malicious or suspicious document templates being used to distribute harmful content.
Attachment: Excel Web Query File (IQY)
Recursively scans files and archives to detect IQY files. Coercing a target user into providing credentials to an attacker-controlled web server, or for SMB relaying.
Attachment: Fake attachment image lure
Message (or attached message) contains an image impersonating an Outlook attachment button.
Attachment: Fake lawyer & sports agent identities
Detects messages containing attachments or content that reference known fake identities used in FC Barcelona scams, including fake lawyer Michael Gerardus Hermanus Demon and sports agents with the surname Giuffrida. The rule examines EXIF metadata, OCR text from attachments, and message body content for these specific identity markers.
Attachment: Fake scan-to-email
Message and attachment resemble an email from a scan-to-email service or device with credential theft language.
Attachment: Fake secure message and suspicious indicators
Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.
Attachment: Fake Slack installer
HTML attachment contains a Slack logo, request language, and a link to an executable. Observed in the wild.
Attachment: Fake voicemail via PDF
Identifies inbound messages containing a single-page PDF attachment related to voicemail or missed call notifications that includes either a URL or QR code.
Attachment: Fake Zoom installer
HTML attachment contains a Zoom logo, request language, and a link to an executable. Observed in the wild.
Attachment: Fictitious invoice using LinkedIn's address
Detects PDF attachments created with wkhtmltopdf or Qt that contain LinkedIn's headquarters address (1000 W Maude Ave) in financial communications context, but do not mention LinkedIn itself.
Attachment: File execution via Javascript
Javascript contains identifiers or strings that may attempt to execute files.
Attachment: Filename containing Unicode braille pattern blank character
Recursively identifies attachments that attempt to conceal their true file extension by using Braille Pattern Blank characters
Attachment: Filename containing Unicode right-to-left override character
Recursively identifies attachments that attempt to conceal their true file extension by using right-to-left override characters
Attachment: Finance themed PDF with observed phishing template
Detects PDF attachments containing a specific rectangular coordinate pattern at position [249.75 560 407.25 599.75], which may indicate a templated or malicious document structure.
Attachment: HTML attachment with Javascript location
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML attachment with login portal indicators
Recursively scans files and archives to detect indicators of login portals implemented in HTML files. This is a known credential theft technique used by threat actors.