EXPLORE

EXPLORE DETECTIONS

🔍
1,155 detections found

Attachment: ICS with embedded Javascript in SVG file

Detects incoming messages containing ICS attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.

T1566T1566.001T1566.002T1598T1204.002+4
Sublimehigh

Attachment: ICS with employee policy review lure

Detects ICS calendar attachments containing references to 'policy review' and 'secure access' terminology, which may be used in social engineering attacks to prompt users to take action under the guise of compliance or security requirements.

T1566T1566.001T1566.002T1598T1534+3
Sublimehigh

Attachment: Invoice and W-9 PDFs with suspicious creators

Detects messages containing two PDF attachments where one has invoice-related naming patterns and another contains W-9 tax form indicators, commonly used in business email compromise attacks targeting financial processes.

T1566.002T1534T1656T1566T1598+1
Sublimehigh

Attachment: JavaScript file with suspicious base64-encoded executable

JavaScript attachment or compressed JavaScript file containing a base64 encoded executable.

T1566.001T1204.002T1486T1036T1027+1
Sublimehigh

Attachment: JPEG with gd-jpeg creator and suspicious file name

Detects inbound messages containing a single JPEG attachment with specific filename patterns and EXIF metadata indicating creation by gd-jpeg v1.0. This has been observed being used to produce company logos used within phishing messages.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: Legal themed message or PDF with suspicious indicators

Detects messages with short body content or emoji containing PDF attachments from suspicious creators that include legal and compliance language with embedded malicious links, URL shorteners, or newly registered domains.

T1566T1566.001T1566.002T1598T1486+5
Sublimemedium

Attachment: Link file with UNC path

Attached link file contains a UNC path. This can be used to relay NTLM password hashes; Windows will attempt to authenticate against the path even without the file being opened.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Attachment: Link to Doubleclick.net open redirect

Doubleclick.net link in a document leveraging an open redirect.

T1566.002T1534T1656T1566T1566.001+3
Sublimemedium

Attachment: LNK file

Recursively scans files and archives to detect LNK connection files. LNK files can be weaponised to execute arbitrary commands including unpacking and running executable content embedded within the file itself.

T1566.001T1204.002T1486
Sublimehigh

Attachment: LNK with embedded content

Emotet has been observed to embed executable content within an LNK file to deliver and execute VBScript when launched. Similar research has demonstrated how this concept may be applied to deliver and launch an embedded executable via PowerShell.

T1566.001T1204.002T1486T1190T1203+1
Sublimehigh

Attachment: Macro files containing MHT content

Detects macro-enabled files that contain embedded MHT (MIME HTML) content, which is commonly used to hide malicious code through file format manipulation.

T1566.001T1204.002T1486T1566T1566.002+5
Sublimemedium

Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation

Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.

T1566.001T1204.002T1486T1059.005T1059
Sublimehigh

Attachment: Malformed OLE file

Attached OLE file (typically a Microsoft Office document) is malformed, possibly to evade traditional scanners and filters.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimehigh

Attachment: Malicious OneNote commands

Scans for OneNote attachments that contain suspicious commands that may indicate malicious activity.

T1566.001T1204.002T1486T1059
Sublimehigh

Attachment: Malicious zip file matching zipline campaign

Detects inbound ZIP attachments containing content that matches observed artifacts from a ZipLine campaign reported on by Telekom Security.

T1566.001T1204.002T1486
Sublimemedium

Attachment: Microsoft 365 credential phishing

Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.

T1566T1566.001T1566.002T1598T1598.003
Sublimehigh

Attachment: Microsoft impersonation via PDF with link and suspicious language

Attached PDF contains a Microsoft-affilated logo, suspicious language or keywords, and a link. Known malware delivery method.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimehigh

Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links

Detects inbound messages containing EML attachments with embedded links targeting Microsoft OAuth authentication flows. The rule identifies suspicious Microsoft login URLs with specific query parameters indicating credential harvesting attempts, including offline access permissions, read/write scopes, and reprocessing endpoints. Links are detected within EML body content, embedded PDF/HTML attachments, and ICS calendar files.

T1566T1566.001T1566.002T1598T1598.003+2
Sublimehigh

Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK

Detects embedded Shell.Explorer.1 COM objects containing LNK files within various file types.

T1566.001T1204.002T1486T1036T1027
Sublimemedium

Attachment: MS OOXML file created by Administrator with zero edit time

Detects inbound PowerPoint (.pptx) and other MS OOXML attachments where the file creator is listed as 'Administrator' and the total edit time is zero minutes, while missing the 'TitlesOfParts' metadata field. This pattern may indicate programmatically generated or suspicious presentation files.

T1566.001T1204.002T1486T1036T1027
Sublimehigh

Attachment: MSI installer file

Recursively scans files and archives to detect MSI installer files. Coercing a target user to run an MSI can be used as part of an 'IT Support' or 'software update' social engineering attack. Execution of the delivered MSI could enable the attacker to execute malicious code on the target user's host.

T1566.001T1204.002T1486T1036T1027
Sublimemedium

Attachment: Office document loads remote document template

Recursively scans archives and Office documents to detect remote document template injection.

T1566.001T1204.002T1486
Sublimemedium

Attachment: Office document with VSTO add-in

Recursively scans files and archives to detect Office documents with VSTO Add-ins.

T1566.001T1204.002T1486T1059
Sublimehigh

Attachment: Office file contains OLE relationship to credential phishing page

Office file OLE relationship link is a credential page, or contains credential phishing language.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh
PreviousPage 7 of 49Next