EXPLORE DETECTIONS
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
Detects a Windows library file (.library-ms) containing a network path, either as a direct attachment or within an archive. This file type can be used to cause Windows to send NTLM hash to malicious network locations.
Attachment: Decoy PDF author (Julie P.)
This detection rule matches on messages containing one or more Decoy PDF attachments with metadata discovered to have been assoicated with malicious email campaigns featuring CrowdStrike, DocuSign, Human Resource and password expiration lures.
Attachment: DocuSign impersonation via PDF linking to new domain
This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)
Attachment: DocX embedded binary
This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload.
Attachment: DOCX with hyperlink targeting recipient address
Detects DOCX attachments containing hyperlinks with anchor references that match recipient email addresses. This technique is commonly used to personalize malicious documents and evade detection.
Attachment: DOCX with malicious document template artifacts
Detects inbound messages containing DOCX attachments with artifacts associated with malicious document templates.
Attachment: Double base64-encoded zip file in HTML smuggling attachment
Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.
Attachment: Dropbox image lure with no Dropbox domains in links
Detects Dropbox phishing emails with no Dropbox links with image attachments from an untrusted sender.
Attachment: Duplicated header pages in fraudulent multi-page PDF Request for Quotation
Detects inbound PDF attachments between 2-3 pages where the first three lines of the header text appear nearly identical (within a Levenshtein distance of 5) on multiple pages, combined with terminology commonly found in fraudulent Request for Quotation (RFQ) documents such as procurement language, payment conditions, and preference point systems. This pattern is consistent with fabricated or manipulated procurement documents used in BEC or fraud schemes.
Attachment: EICAR string present
This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities. For performance reasons, this rule is limited to attachments with "eicar" in the file name.
Attachment: Embedded Javascript in SVG file
Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
Attachment: Embedded VBScript in MHT file
MHT files can be used to run VBScript, which can run malicious code.
Attachment: EML containing a base64 encoded script
Attached EML contains a base64 encoded script in the message body.
Attachment: EML file contains HTML attachment with login portal indicators
Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.
Attachment: EML file with HTML attachment (unsolicited)
Detects HTML files in EML attachments from unsolicited senders. Reduces attack surface against HTML smuggling.
Attachment: EML file with IPFS links
Attached EML uses engaging language and IPFS links were detected in the EML file. IPFS has been recently observed hosting phishing sites.
Attachment: EML with embedded Javascript in SVG file
Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.
Attachment: EML with Encrypted ZIP
Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content.
Attachment: EML with link to credential phishing page
Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
Attachment: EML with QR code redirecting to Cloudflare challenges
Detects EML attachments containing office documents, PDFs, or images with embedded QR codes that redirect to Cloudflare challenge pages, potentially used to bypass security measures.
Attachment: EML with SharePoint files shared from GoDaddy federated tenants
Detects EML attachments containing SharePoint links with 'netorg' subdomain patterns, which may indicate suspicious redirection tactics or domain abuse.
Attachment: EML with Sharepoint link likely unrelated to sender
Detects EML attachments containing SharePoint links where the subdomain differs significantly from the sender's domain, potentially indicating SharePoint impersonation or domain spoofing tactics.
Attachment: EML with suspicious indicators
Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.