EXPLORE DETECTIONS
Attachment: QR code with userinfo portion
Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods.
Attachment: RDP connection file
Recursively scans files and archives to detect RDP connection files. Coercing a target user into connecting to an attacker-owned RDP server can expose elements of their host and potentially lead to compromise.
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender
This rule identifies messages with an RFC822 attachment contains language indicative of suspicious file-sharing activity. It checks both the original sender and the nested sender against highly trusted domains. The original message is unsolicited, and has not been previously flagged as a false positive.
Attachment: RFP/RFQ impersonating government entities
Attached RFP/RFQ impersonates a U.S. government department or entity to commit fraudulent transactions.
Attachment: RTF file with suspicious link
This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain.
Attachment: RTF with embedded content
RTF files can contain embedded content similar to OLE files (Microsoft Office documents.)
Attachment: Self-sender PDF with minimal content and view prompt
Detects messages where the sender and recipient are the same address with a PDF attachment containing only 'VIEW PDF' text and a standardized body message requesting to view the attachment.
Attachment: SFX archive containing commands
Attachment is an SFX archive that contains commands that will execute when opened. This can be used to run malicious commands, and has been observed in the wild.
Attachment: Small text file with link containing recipient email address
Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links.
Attachment: Soda PDF producer with encryption themes
Detects an observed TTP of using Soda PDF (which offers a free trial) to produce PDFs which OCR output contains references to encryption and mentions a PDF. The PDF contains a single link which has been observed linking to a credential phishing page.
Attachment: Suspicious employee policy update document lure
Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology. This pattern has been observed used to delivery credential phishing via QR codes.
Attachment: Suspicious PDF created with headless browser
Detects PDF documents containing a table of contents that were generated using HeadlessChrome, Chromium with Skia/PDF, or QT with empty metadata fields - common characteristics of automated malicious document creation.
Attachment: Suspicious VBA macro
Detects any VBA macro attachment that scores above a low confidence threshold in the Sublime Macro Classifier.
Attachment: SVG file execution
Detects file execution attempts in SVG files. ActiveXObject is used to invoke WScript.Shell and run a program.
Attachment: SVG files with evasion elements
This rule identifies incoming SVG vector graphics files containing specific patterns: circle elements combined with either embedded images, QR codes, or filenames that match recipient information. Limited to three attachments and validates sender authenticity. SVG circle elements have been used to obfuscate QR codes and bypass automated QR code scanning methods.
Attachment: Uncommon compressed file
Use if passing compressed or archive files is not typical behavior in your organization. This behavior has been observed in a number of phishing campaigns.
Attachment: USDA bid invitation impersonation
Detects messages claiming to be from USDA containing bid invitations with macro-enabled attachments or PDFs. Validates USDA-related content through OCR and natural language analysis.
Attachment: Web files with suspicious comments
Detects HTML or SVG files under 100KB that contain duplicate or padding text in the form of literary quotes or common sayings within code comments.
Attachment: WinRAR CVE-2025-8088 exploitation
Detects attempts to exploit CVE-2025-8088 via attached RAR files
Attachment: XLSX file with suspicious print titles metadata
Detects XLSX attachments containing EXIF metadata with suspicious TitlesOfParts fields that follow a specific pattern combining 'Company_Name' with extracted values and 'Print_Titles', potentially indicating malicious document preparation.
Attachment: Zip exploiting CVE-2023-38831 (unsolicited)
A Zip attachment that exhibits attributes required to exploit CVE-2023-38831, a vulnerability in WinRAR (prior to 6.23).
Attachment: ZIP file with CVE-2026-0866 exploit
Detects ZIP attachments containing exploits targeting CVE-2026-0866 vulnerability through YARA signature matching.
Attacker Tools On Endpoint
The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, or data exfiltration. It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names. This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.
Attempt To Add Certificate To Untrusted Store
The following analytic detects attempts to add a certificate to the untrusted certificate store using the 'certutil -addstore' command. It leverages process activity and command-line arguments from Endpoint Detection and Response (EDR) logs mapped to the Splunk `Processes` data model. This activity is significant as it may indicate an attacker trying to disable security tools to gain unauthorized access. If confirmed malicious, this could lead to the compromise of system security, allowing attackers to bypass defenses and potentially escalate privileges or persist in the environment.