EXPLORE DETECTIONS
Attachment: Any HTML file within archive (unsolicited)
Recursively scans archives to detect HTML files from unsolicited senders. HTML files can be used for HTML smuggling and embedded in archives to evade detection.
Attachment: Archive containing disallowed file type
Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives. Attackers often embed malicious files within archives to bypass email gateway controls.
Attachment: Archive containing HTML file with file scheme link
Attached archive contains an HTML file with a file:// link, likely pointing to an SMB server. This technique can be used to steal NTLM hashes of users who open the HTML file. Known technique of TA577.
Attachment: Archive contains DLL-loading macro
An attacker could send a trusted and signed document that references an untrusted DLL file, which will be loaded by the signed document.
Attachment: Archive with embedded CHM file
Recursively scans files and archives to detect embedded CHM (Microsoft Compiled HTML Help) files. According to CERT-UA, on March 7, 2022, phishing attacks targeted state organizations of Ukraine using Zip files with embedded CHM documents, which themselves contained malicious VBScript inside a .htm file. The activity is associated with UNC1151, according to CERT-UA.
Attachment: Archive with embedded EXE file
Recursively scans files and archives to detect embedded EXE files (with an MZ header). According to The Record, on June 7, 2021, the Ukrainian Secret Service attributed an attack that used this technique to the "special services of the Russian Federation". The spear-phishing operation urged recipients to download a RAR archive included in the email, which, when decompressed, would drop an EXE file with a double extension (filename.pdf.exe) that tried to pass as a PDF file.
Attachment: Archive with pdf, txt and wsf files
Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1
Attachment: Base64 encoded bash command in filename
This rule detects a fileless attack technique where a malicious payload is encoded directly into a filename. This technique is used by threats like VShell. The rule is designed to find these malicious filenames both in direct attachments and within archived files (like .zip, .rar, etc.).
Attachment: Calendar file with invisible Unicode characters
Detects calendar (.ics) attachments containing suspicious invisible Unicode characters, which may be used to hide malicious content or bypass security filters. The rule triggers on messages with calendar-related keywords in the subject or body.
Attachment: Calendar invite from recently registered domain
Detects calendar invites (.ics files) from organizers using domains registered within the last 90 days, which may indicate suspicious or malicious calendar invitations.
Attachment: Calendar invite with Google redirect and invoice request
Detects calendar file attachments containing Google redirect URLs in the location field combined with invoice-related language in the message body.
Attachment: Calendar invite with suspicious link leading to an open redirect
Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect.
Attachment: Callback phishing solicitation via image file
A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Attachment: Callback phishing solicitation via pdf file
A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Attachment: Callback phishing solicitation via text-based file
Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.
Attachment: cmd file extension
Detects messages containing CMD (Command Prompt) batch files, either as direct attachments or within compressed archives. CMD files can execute arbitrary system commands and are commonly used to deliver malware or perform unauthorized system modifications.
Attachment: Cold outreach with invitation subject and not attachment
Detects inbound messages with invitation-related subjects that request recipients to view attachments, contain no links, and are classified as B2B cold outreach with high confidence. Messages either have no attachments or contain a single image attachment.
Attachment: Compensation review lure with QR code
Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders.
Attachment: Credit card application with WhatsApp contact
Detects messages containing promotional credit card offers with attached forms requesting extensive personal information (PII) and directing victims to contact via WhatsApp, indicating potential fraud.
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444. On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows. According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
Detects a Windows library file (.library-ms) containing a network path, either as a direct attachment or within an archive. This file type can be used to cause Windows to send NTLM hash to malicious network locations.
Attachment: Decoy PDF author (Julie P.)
This detection rule matches on messages containing one or more Decoy PDF attachments with metadata discovered to have been assoicated with malicious email campaigns featuring CrowdStrike, DocuSign, Human Resource and password expiration lures.
Attachment: DocuSign impersonation via PDF linking to new domain
This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)