EXPLORE DETECTIONS
Attachment: DocX embedded binary
This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload.
Attachment: DOCX with hyperlink targeting recipient address
Detects DOCX attachments containing hyperlinks with anchor references that match recipient email addresses. This technique is commonly used to personalize malicious documents and evade detection.
Attachment: Double base64-encoded zip file in HTML smuggling attachment
Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.
Attachment: Dropbox image lure with no Dropbox domains in links
Detects Dropbox phishing emails with no Dropbox links with image attachments from an untrusted sender.
Attachment: EICAR string present
This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities. For performance reasons, this rule is limited to attachments with "eicar" in the file name.
Attachment: Embedded Javascript in SVG file
Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
Attachment: Embedded VBScript in MHT file (unsolicited)
MHT files can be used to run VBScript, which can run malicious code.
Attachment: EML containing a base64 encoded script
Attached EML contains a base64 encoded script in the message body.
Attachment: EML file contains HTML attachment with login portal indicators
Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.
Attachment: EML file with HTML attachment (unsolicited)
Detects HTML files in EML attachments from unsolicited senders. Reduces attack surface against HTML smuggling.
Attachment: EML file with IPFS links
Attached EML uses engaging language and IPFS links were detected in the EML file. IPFS has been recently observed hosting phishing sites.
Attachment: EML with embedded Javascript in SVG file
Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.
Attachment: EML with Encrypted ZIP
Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content.
Attachment: EML with link to credential phishing page
Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
Attachment: EML with QR code redirecting to Cloudflare challenges
Detects EML attachments containing office documents, PDFs, or images with embedded QR codes that redirect to Cloudflare challenge pages, potentially used to bypass security measures.
Attachment: EML with SharePoint files shared from GoDaddy federated tenants
Detects EML attachments containing SharePoint links with 'netorg' subdomain patterns, which may indicate suspicious redirection tactics or domain abuse.
Attachment: EML with Sharepoint link likely unrelated to sender
Detects EML attachments containing SharePoint links where the subdomain differs significantly from the sender's domain, potentially indicating SharePoint impersonation or domain spoofing tactics.
Attachment: EML with suspicious indicators
Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.
Attachment: Emotet heavily padded doc in zip file
Detects a potential Emotet delivery method using padded .doc files that compress into small zip files. Contents may include Red Dawn templates exceeding 500MB.
Attachment: Employment contract update with suspicious file naming
Detects messages containing two attachments where one is a PowerPoint file with suspicious character substitution in the filename ('Empl0yment' using zero instead of 'o') and body text claiming an employment contract has been updated.
Attachment: Encrypted Microsoft Office file (unsolicited)
Encrypted OLE2 (eg Microsoft Office) attachment from an unsolicited sender. Attachment encryption is a common technique used to bypass malware scanning products. Use if receiving encrypted attachments is not normal behavior in your environment.
Attachment: Encrypted PDF with credential theft body
Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.
Attachment: Encrypted ZIP containing VHDX file
Detects ZIP attachments that are encrypted and contain VHDX files, which may be used to bypass security controls or deliver malicious payloads.
Attachment: Encrypted zip file with payment-related lure
Detects messages containing zip file attachments with payment-themed content that reference encrypted files, passwords, and payment details. The rule looks for specific patterns indicating the attachment is encrypted and contains payment-related information, commonly used to evade security scanning by requiring manual extraction.