Detection rules › Sublime MQL
Attachment: Archive containing disallowed file type
Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives. Attackers often embed malicious files within archives to bypass email gateway controls.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware |
| Tactics and techniques | Evasion |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| type |
Rule body MQL
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_common_archives
or .file_type == "rar"
)
and any(file.explode(.),
.file_extension in~ (
// File types blocked by Gmail by default
// https://support.google.com/mail/answer/6590?hl=en#zippy=%2Cmessages-that-have-attachments
"ade",
"adp",
"apk",
"appx",
"appxbundle",
"bat",
"cab",
"chm",
"cmd",
"com",
"cpl",
"dll",
"dmg",
"ex",
"ex_",
"exe",
"hta",
"ins",
"isp",
"iso",
"jar",
"js",
"jse",
"lib",
"lnk",
"mde",
"msc",
"msi",
"msix",
"msixbundle",
"msp",
"mst",
"nsh",
"pif",
"ps1",
"scr",
"sct",
"shb",
"sys",
"vb",
"vbe",
"vbs",
"vxd",
"wsc",
"wsf",
"wsh",
// File types blocked by Microsoft 365 by default
// https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519
"ade",
"adp",
"app",
"application",
"appref-ms",
"asp",
"aspx",
"asx",
// "bas", excluded at depth > 1 because they can exist natively in word docs within an archive. see below
"bat",
"bgi",
"cab",
// "cer",
"chm",
"cmd",
"cnt",
"com",
"cpl",
// "crt",
// "csh",
// "der",
"diagcab",
"exe",
"fxp",
"gadget",
// "grp",
"hlp",
"hpj",
"hta",
"htc",
// "inf",
"ins",
"iso",
"isp",
"its",
"jar",
"jnlp",
"js",
"jse",
"ksh",
"lnk",
"mad",
"maf",
"mag",
"mam",
"maq",
"mar",
"mas",
"mat",
"mau",
"mav",
"maw",
"mcf",
"mda",
// "mdb",
"mde",
"mdt",
"mdw",
"mdz",
"msc",
"msh",
"msh1",
"msh2",
"mshxml",
"msh1xml",
"msh2xml",
"msi",
"msp",
"mst",
"msu",
"ops",
"osd",
"pcd",
"pif",
"pl",
"plg",
"prf",
"prg",
"printerexport",
"ps1",
"ps1xml",
"ps2",
"ps2xml",
"psc1",
"psc2",
"psd1",
"psdm1",
"pst",
// "py",
// "pyc",
"pyo",
"pyw",
"pyz",
"pyzw",
"reg",
"scf",
"scr",
"sct",
"shb",
"shs",
"theme",
// "tmp",
"url",
"vb",
"vbe",
"vbp",
"vbs",
"vhd",
"vhdx",
"vsmacros",
"vsw",
"webpnp",
"website",
"ws",
"wsc",
"wsf",
"wsh",
"xbap",
"xll",
"xnk"
)
or (
// BASIC files can naturally occur in word docs,
// so only flag if depth is 1 (archive -> bas, not archive -> doc -> bas)
.depth == 1
and .file_extension =~ "bas"
)
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives. Attackers often embed malicious files within archives to bypass email gateway controls.
- inbound message
any of
attachmentswhere all hold:any of:
- .file_extension in $file_extensions_common_archives
- .file_type is 'rar'
any of
file.explode(.)where any holds:- .file_extension in ('ade', 'adp', 'apk', 'appx', 'appxbundle', 'bat', 'cab', 'chm', 'cmd', 'com', 'cpl', 'dll', 'dmg', 'ex', 'ex_', 'exe', 'hta', 'ins', 'isp', 'iso', 'jar', 'js', 'jse', 'lib', 'lnk', 'mde', 'msc', 'msi', 'msix', 'msixbundle', 'msp', 'mst', 'nsh', 'pif', 'ps1', 'scr', 'sct', 'shb', 'sys', 'vb', 'vbe', 'vbs', 'vxd', 'wsc', 'wsf', 'wsh', 'ade', 'adp', 'app', 'application', 'appref-ms', 'asp', 'aspx', 'asx', 'bat', 'bgi', 'cab', 'chm', 'cmd', 'cnt', 'com', 'cpl', 'diagcab', 'exe', 'fxp', 'gadget', 'hlp', 'hpj', 'hta', 'htc', 'ins', 'iso', 'isp', 'its', 'jar', 'jnlp', 'js', 'jse', 'ksh', 'lnk', 'mad', 'maf', 'mag', 'mam', 'maq', 'mar', 'mas', 'mat', 'mau', 'mav', 'maw', 'mcf', 'mda', 'mde', 'mdt', 'mdw', 'mdz', 'msc', 'msh', 'msh1', 'msh2', 'mshxml', 'msh1xml', 'msh2xml', 'msi', 'msp', 'mst', 'msu', 'ops', 'osd', 'pcd', 'pif', 'pl', 'plg', 'prf', 'prg', 'printerexport', 'ps1', 'ps1xml', 'ps2', 'ps2xml', 'psc1', 'psc2', 'psd1', 'psdm1', 'pst', 'pyo', 'pyw', 'pyz', 'pyzw', 'reg', 'scf', 'scr', 'sct', 'shb', 'shs', 'theme', 'url', 'vb', 'vbe', 'vbp', 'vbs', 'vhd', 'vhdx', 'vsmacros', 'vsw', 'webpnp', 'website', 'ws', 'wsc', 'wsf', 'wsh', 'xbap', 'xll', 'xnk')
all of:
- .depth is 1
- .file_extension is 'bas'
any of:
- profile.by_sender().prevalence in ('new', 'outlier')
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].file_extension, attachments[].file_type, type.inbound. Sensors: file.explode, profile.by_sender. Reference lists: $file_extensions_common_archives.
Indicators matched (124)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | rar |
file.explode(attachments[])[].file_extension | member | ade |
file.explode(attachments[])[].file_extension | member | adp |
file.explode(attachments[])[].file_extension | member | apk |
file.explode(attachments[])[].file_extension | member | appx |
file.explode(attachments[])[].file_extension | member | appxbundle |
file.explode(attachments[])[].file_extension | member | bat |
file.explode(attachments[])[].file_extension | member | cab |
file.explode(attachments[])[].file_extension | member | chm |
file.explode(attachments[])[].file_extension | member | cmd |
file.explode(attachments[])[].file_extension | member | com |
file.explode(attachments[])[].file_extension | member | cpl |
112 more
file.explode(attachments[])[].file_extension | member | dll |
file.explode(attachments[])[].file_extension | member | dmg |
file.explode(attachments[])[].file_extension | member | ex |
file.explode(attachments[])[].file_extension | member | ex_ |
file.explode(attachments[])[].file_extension | member | exe |
file.explode(attachments[])[].file_extension | member | hta |
file.explode(attachments[])[].file_extension | member | ins |
file.explode(attachments[])[].file_extension | member | isp |
file.explode(attachments[])[].file_extension | member | iso |
file.explode(attachments[])[].file_extension | member | jar |
file.explode(attachments[])[].file_extension | member | js |
file.explode(attachments[])[].file_extension | member | jse |
file.explode(attachments[])[].file_extension | member | lib |
file.explode(attachments[])[].file_extension | member | lnk |
file.explode(attachments[])[].file_extension | member | mde |
file.explode(attachments[])[].file_extension | member | msc |
file.explode(attachments[])[].file_extension | member | msi |
file.explode(attachments[])[].file_extension | member | msix |
file.explode(attachments[])[].file_extension | member | msixbundle |
file.explode(attachments[])[].file_extension | member | msp |
file.explode(attachments[])[].file_extension | member | mst |
file.explode(attachments[])[].file_extension | member | nsh |
file.explode(attachments[])[].file_extension | member | pif |
file.explode(attachments[])[].file_extension | member | ps1 |
file.explode(attachments[])[].file_extension | member | scr |
file.explode(attachments[])[].file_extension | member | sct |
file.explode(attachments[])[].file_extension | member | shb |
file.explode(attachments[])[].file_extension | member | sys |
file.explode(attachments[])[].file_extension | member | vb |
file.explode(attachments[])[].file_extension | member | vbe |
file.explode(attachments[])[].file_extension | member | vbs |
file.explode(attachments[])[].file_extension | member | vxd |
file.explode(attachments[])[].file_extension | member | wsc |
file.explode(attachments[])[].file_extension | member | wsf |
file.explode(attachments[])[].file_extension | member | wsh |
file.explode(attachments[])[].file_extension | member | app |
file.explode(attachments[])[].file_extension | member | application |
file.explode(attachments[])[].file_extension | member | appref-ms |
file.explode(attachments[])[].file_extension | member | asp |
file.explode(attachments[])[].file_extension | member | aspx |
file.explode(attachments[])[].file_extension | member | asx |
file.explode(attachments[])[].file_extension | member | bgi |
file.explode(attachments[])[].file_extension | member | cnt |
file.explode(attachments[])[].file_extension | member | diagcab |
file.explode(attachments[])[].file_extension | member | fxp |
file.explode(attachments[])[].file_extension | member | gadget |
file.explode(attachments[])[].file_extension | member | hlp |
file.explode(attachments[])[].file_extension | member | hpj |
file.explode(attachments[])[].file_extension | member | htc |
file.explode(attachments[])[].file_extension | member | its |
file.explode(attachments[])[].file_extension | member | jnlp |
file.explode(attachments[])[].file_extension | member | ksh |
file.explode(attachments[])[].file_extension | member | mad |
file.explode(attachments[])[].file_extension | member | maf |
file.explode(attachments[])[].file_extension | member | mag |
file.explode(attachments[])[].file_extension | member | mam |
file.explode(attachments[])[].file_extension | member | maq |
file.explode(attachments[])[].file_extension | member | mar |
file.explode(attachments[])[].file_extension | member | mas |
file.explode(attachments[])[].file_extension | member | mat |
file.explode(attachments[])[].file_extension | member | mau |
file.explode(attachments[])[].file_extension | member | mav |
file.explode(attachments[])[].file_extension | member | maw |
file.explode(attachments[])[].file_extension | member | mcf |
file.explode(attachments[])[].file_extension | member | mda |
file.explode(attachments[])[].file_extension | member | mdt |
file.explode(attachments[])[].file_extension | member | mdw |
file.explode(attachments[])[].file_extension | member | mdz |
file.explode(attachments[])[].file_extension | member | msh |
file.explode(attachments[])[].file_extension | member | msh1 |
file.explode(attachments[])[].file_extension | member | msh2 |
file.explode(attachments[])[].file_extension | member | mshxml |
file.explode(attachments[])[].file_extension | member | msh1xml |
file.explode(attachments[])[].file_extension | member | msh2xml |
file.explode(attachments[])[].file_extension | member | msu |
file.explode(attachments[])[].file_extension | member | ops |
file.explode(attachments[])[].file_extension | member | osd |
file.explode(attachments[])[].file_extension | member | pcd |
file.explode(attachments[])[].file_extension | member | pl |
file.explode(attachments[])[].file_extension | member | plg |
file.explode(attachments[])[].file_extension | member | prf |
file.explode(attachments[])[].file_extension | member | prg |
file.explode(attachments[])[].file_extension | member | printerexport |
file.explode(attachments[])[].file_extension | member | ps1xml |
file.explode(attachments[])[].file_extension | member | ps2 |
file.explode(attachments[])[].file_extension | member | ps2xml |
file.explode(attachments[])[].file_extension | member | psc1 |
file.explode(attachments[])[].file_extension | member | psc2 |
file.explode(attachments[])[].file_extension | member | psd1 |
file.explode(attachments[])[].file_extension | member | psdm1 |
file.explode(attachments[])[].file_extension | member | pst |
file.explode(attachments[])[].file_extension | member | pyo |
file.explode(attachments[])[].file_extension | member | pyw |
file.explode(attachments[])[].file_extension | member | pyz |
file.explode(attachments[])[].file_extension | member | pyzw |
file.explode(attachments[])[].file_extension | member | reg |
file.explode(attachments[])[].file_extension | member | scf |
file.explode(attachments[])[].file_extension | member | shs |
file.explode(attachments[])[].file_extension | member | theme |
file.explode(attachments[])[].file_extension | member | url |
file.explode(attachments[])[].file_extension | member | vbp |
file.explode(attachments[])[].file_extension | member | vhd |
file.explode(attachments[])[].file_extension | member | vhdx |
file.explode(attachments[])[].file_extension | member | vsmacros |
file.explode(attachments[])[].file_extension | member | vsw |
file.explode(attachments[])[].file_extension | member | webpnp |
file.explode(attachments[])[].file_extension | member | website |
file.explode(attachments[])[].file_extension | member | ws |
file.explode(attachments[])[].file_extension | member | xbap |
file.explode(attachments[])[].file_extension | member | xll |
file.explode(attachments[])[].file_extension | member | xnk |
file.explode(attachments[])[].file_extension | equals | bas |