EXPLORE DETECTIONS
Attachment: LNK with embedded content
Emotet has been observed to embed executable content within an LNK file to deliver and execute VBScript when launched. Similar research has demonstrated how this concept may be applied to deliver and launch an embedded executable via PowerShell.
Attachment: Macro files containing MHT content
Detects macro-enabled files that contain embedded MHT (MIME HTML) content, which is commonly used to hide malicious code through file format manipulation.
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.
Attachment: Malformed OLE file
Attached OLE file (typically a Microsoft Office document) is malformed, possibly to evade traditional scanners and filters.
Attachment: Malicious OneNote commands
Scans for OneNote attachments that contain suspicious commands that may indicate malicious activity.
Attachment: Microsoft 365 credential phishing
Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
Attachment: Microsoft impersonation via PDF with link and suspicious language
Attached PDF contains a Microsoft-affilated logo, suspicious language or keywords, and a link. Known malware delivery method.
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK
Detects embedded Shell.Explorer.1 COM objects containing LNK files within various file types.
Attachment: MSI installer file
Recursively scans files and archives to detect MSI installer files. Coercing a target user to run an MSI can be used as part of an 'IT Support' or 'software update' social engineering attack. Execution of the delivered MSI could enable the attacker to execute malicious code on the target user's host.
Attachment: Office document loads remote document template
Recursively scans archives and Office documents to detect remote document template injection.
Attachment: Office document with VSTO add-in
Recursively scans files and archives to detect Office documents with VSTO Add-ins.
Attachment: Office file contains OLE relationship to credential phishing page
Office file OLE relationship link is a credential page, or contains credential phishing language.
Attachment: Office file with credential phishing URLs
Detects Office documents containing embedded URLs that redirect to credential phishing pages. The rule filters out standard XML namespace and schema URLs commonly found in legitimate Office documents, then analyzes remaining URLs for malicious content using machine learning link analysis.
Attachment: Office file with document sharing and browser instruction lures
Detects macro-enabled attachments containing document sharing language (sent, shared, forwarded) combined with browser interaction instructions (copy, right-click) or common email disclaimers. These tactics are often used to trick users into enabling macros or following malicious instructions.
Attachment: Office file with suspicious function calls or downloaded file path
Attached Office file contains suspicious function calls or known malicious file path pattern.
Attachment: OLE external relationship containing file scheme link to executable filetype
This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software.
Attachment: OLE external relationship containing file scheme link to IP address
This rule identifies attachments containing file scheme links pointing to IP Addresses, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software. The rule negates firing on IP addresses governed by RFC1918 or privately allocated space.
Attachment: Password-protected PDF with fake document indicators
Detects PDF attachments that are password protected and matching YARA signatures looking for specific content observed in previous activity.
Attachment: PDF bid/proposal lure with credential theft indicators
Detects single-page PDF attachments containing bid, proposal, RFP, RFQ, or quotation-related lures combined with high-confidence credential theft language or suspicious domains. The rule examines various locations including PDF URLs, OCR content, file names, subject lines, and message body for these indicators.
Attachment: PDF contains W9 or invoice YARA signatures
PDF attachment contains YARA signatures commonly associated with fraudulent W9 tax forms or invoice documents, which are frequently used in social engineering attacks to steal sensitive information or facilitate business email compromise.
Attachment: PDF file with embedded content
Threat actors may embed files within PDF documents, including macro-enabled documents, in an attempt to bypass security controls and social engineer a recipient into running malicious code.
Attachment: PDF file with link to fake Bitcoin exchange
Fraudulent message containing a PDF notification of unclaimed Bitcoin assets. The PDF file contains a link to a fake Cryptocurrency portal. Attempting to withdraw funds prompts the user to enter payment information.
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.