Detection rules › Sublime MQL
Attachment: Emotet heavily padded doc in zip file
Detects a potential Emotet delivery method using padded .doc files that compress into small zip files. Contents may include Red Dawn templates exceeding 500MB.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware |
| Tactics and techniques | Evasion |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| type |
Rule body MQL
type.inbound
and any(attachments,
.file_extension == "zip"
and any(file.explode(.),
.depth == 0
and .size < 1000000
and not .depth > 0
and strings.ends_with(.scan.exiftool.zip_file_name, ".doc")
and .scan.exiftool.zip_uncompressed_size > 500000000
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Detection logic
Scope: inbound message.
Detects a potential Emotet delivery method using padded .doc files that compress into small zip files. Contents may include Red Dawn templates exceeding 500MB.
- inbound message
any of
attachmentswhere all hold:- .file_extension is 'zip'
any of
file.explode(.)where all hold:- .depth is 0
- .size < 1000000
not:
- .depth > 0
- .scan.exiftool.zip_file_name ends with '.doc'
- .scan.exiftool.zip_uncompressed_size > 500000000
any of:
- profile.by_sender().prevalence in ('new', 'outlier')
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].file_extension, type.inbound. Sensors: file.explode, profile.by_sender, strings.ends_with.
Indicators matched (2)
| Field | Match | Value |
|---|---|---|
attachments[].file_extension | equals | zip |
strings.ends_with | suffix | .doc |