EXPLORE DETECTIONS
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK
Detects embedded Shell.Explorer.1 COM objects containing LNK files within various file types.
Attachment: MSI installer file
Recursively scans files and archives to detect MSI installer files. Coercing a target user to run an MSI can be used as part of an 'IT Support' or 'software update' social engineering attack. Execution of the delivered MSI could enable the attacker to execute malicious code on the target user's host.
Attachment: Office document loads remote document template
Recursively scans archives and Office documents to detect remote document template injection.
Attachment: Office document with VSTO add-in
Recursively scans files and archives to detect Office documents with VSTO Add-ins.
Attachment: Office file contains OLE relationship to credential phishing page
Office file OLE relationship link is a credential page, or contains credential phishing language.
Attachment: Office file with credential phishing URLs
Detects Office documents containing embedded URLs that redirect to credential phishing pages. The rule filters out standard XML namespace and schema URLs commonly found in legitimate Office documents, then analyzes remaining URLs for malicious content using machine learning link analysis.
Attachment: Office file with document sharing and browser instruction lures
Detects macro-enabled attachments containing document sharing language (sent, shared, forwarded) combined with browser interaction instructions (copy, right-click) or common email disclaimers. These tactics are often used to trick users into enabling macros or following malicious instructions.
Attachment: Office file with suspicious function calls or downloaded file path
Attached Office file contains suspicious function calls or known malicious file path pattern.
Attachment: OLE external relationship containing file scheme link to executable filetype
This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software.
Attachment: OLE external relationship containing file scheme link to IP address
This rule identifies attachments containing file scheme links pointing to IP Addresses, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software. The rule negates firing on IP addresses governed by RFC1918 or privately allocated space.
Attachment: Password-protected PDF with fake document indicators
Detects PDF attachments that are password protected and matching YARA signatures looking for specific content observed in previous activity.
Attachment: PDF bid/proposal lure with credential theft indicators
Detects single-page PDF attachments containing bid, proposal, RFP, RFQ, or quotation-related lures combined with high-confidence credential theft language or suspicious domains. The rule examines various locations including PDF URLs, OCR content, file names, subject lines, and message body for these indicators.
Attachment: PDF contains W9 or invoice YARA signatures
PDF attachment contains YARA signatures commonly associated with fraudulent W9 tax forms or invoice documents, which are frequently used in social engineering attacks to steal sensitive information or facilitate business email compromise.
Attachment: PDF file with embedded content
Threat actors may embed files within PDF documents, including macro-enabled documents, in an attempt to bypass security controls and social engineer a recipient into running malicious code.
Attachment: PDF file with link to fake Bitcoin exchange
Fraudulent message containing a PDF notification of unclaimed Bitcoin assets. The PDF file contains a link to a fake Cryptocurrency portal. Attempting to withdraw funds prompts the user to enter payment information.
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.
Attachment: PDF generated with wkhtmltopdf tool and default title
Detects PDF attachments that were generated using the wkhtmltopdf conversion tool, which converts HTML/CSS to PDF. This tool is commonly used by attackers to create legitimate-looking PDF documents from web content for social engineering purposes.
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification
Detects PDF attachments containing a specific object hash (63bf167b66091a4bc53e8944a76f6b08) that may indicate malicious content or known threat indicators.
Attachment: PDF proposal with credential theft indicators
PDF attachment with 'proposal' in filename contains sender or recipient domain, credential theft language detected via OCR, and includes a single URL link.
Attachment: PDF with a suspicious string and single URL
Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks.
Attachment: PDF with credential theft language and invalid reply-to domain
Detects PDF attachments containing high-confidence credential theft language that references the recipient's email address, combined with an invalid reply-to domain header.
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
Detects messages with credential theft PDFs linking to free subdomains.
Attachment: PDF with embedded Javascript
PDF contains embedded Javascript.