detection.wiki

Detection rules › Sublime MQL

Attachment: Excel file with document sharing lure created by Go Excelize

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects Excel macro files created with the Go Excelize library containing document sharing language such as 'sent document', 'shared file', or 'REVIEW DOCUMENT'. These files are often used as lures to trick users into enabling macros or downloading malicious content.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesMacros, Social engineering

Event coverage

Message attribute
attachments (collection)
type

Rule body MQL

type.inbound
and any(filter(attachments,
               .file_extension in $file_extensions_macros
               // limit the size to reduce FPs, the larger the document, the more likely it is for FPs on benign automated reports
               and .size < 2000000
        ),
        any(file.explode(.),
            // document sharing lure
            (
              length(.scan.strings.raw, ) < 1000
              and regex.icontains(.scan.strings.raw,
                                  '(?:sent|shared|forwarded|provided|invited|received)(?:\s+\w+){0,9}\s+(?:document|file|attachment)',
              )
            )
            or strings.icontains(.scan.strings.raw,
                                 'Please download this spreadsheet or SVG and click'
            )
            or (
              length(.scan.strings.raw) < 500
              and strings.contains(.scan.strings.raw, 'REVIEW DOCUMENT')
            )
        )
        and beta.parse_exif(.).creator == "xuri"
        and any(beta.parse_exif(.).fields,
                .key == "Application" and .value == "Go Excelize"
        )
)

Detection logic

Scope: inbound message.

Detects Excel macro files created with the Go Excelize library containing document sharing language such as 'sent document', 'shared file', or 'REVIEW DOCUMENT'. These files are often used as lures to trick users into enabling macros or downloading malicious content.

  1. inbound message
  2. any of filter(attachments) where all hold:
    • any of file.explode(.) where any holds:
      • all of:
        • length(.scan.strings.raw) < 1000
        • .scan.strings.raw matches '(?:sent|shared|forwarded|provided|invited|received)(?:\\s+\\w+){0,9}\\s+(?:document|file|attachment)'
      • .scan.strings.raw contains 'Please download this spreadsheet or SVG and click'
      • all of:
        • length(.scan.strings.raw) < 500
        • .scan.strings.raw contains 'REVIEW DOCUMENT'
    • beta.parse_exif(.).creator is 'xuri'
    • any of beta.parse_exif(.).fields where all hold:
      • .key is 'Application'
      • .value is 'Go Excelize'

Inspects: attachments[].file_extension, attachments[].size, type.inbound. Sensors: beta.parse_exif, file.explode, regex.icontains, strings.contains, strings.icontains. Reference lists: $file_extensions_macros.

Indicators matched (5)

FieldMatchValue
regex.icontainsregex(?:sent|shared|forwarded|provided|invited|received)(?:\s+\w+){0,9}\s+(?:document|file|attachment)
strings.icontainssubstringPlease download this spreadsheet or SVG and click
strings.containssubstringREVIEW DOCUMENT
beta.parse_exif(filter(attachments)[]).fields[].keyequalsApplication
beta.parse_exif(filter(attachments)[]).fields[].valueequalsGo Excelize