Detection rules › Sublime MQL
Attachment: Office document with VSTO add-in
Recursively scans files and archives to detect Office documents with VSTO Add-ins.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware |
| Tactics and techniques | Scripting |
Event coverage
Rule body MQL
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
.file_extension in~ (
"doc",
"docm",
"docx",
"dot",
"dotm",
"xls",
"xlsx",
"xlsm",
"xlm",
"xlsb",
"xlt",
"xltm",
"ppt",
"pptx",
"pptm",
"ppsm"
)
and any(.scan.exiftool.fields,
.key == "Tag_AssemblyLocation"
and strings.ilike(.value, "*.vsto*")
and not strings.ilike(.value, 'C:\Program Files*')
and not any($org_domains, strings.contains(..value, .))
)
)
)
// the message is unsolicited and no false positives
and (
not profile.by_sender().solicited
or (
length(headers.reply_to) > 0
and all(headers.reply_to, .email.email not in $recipient_emails)
)
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
Recursively scans files and archives to detect Office documents with VSTO Add-ins.
- inbound message
any of
attachmentswhere all hold:any of:
- .file_extension in $file_extensions_macros
- .file_extension in $file_extensions_common_archives
all of:
- .file_extension is missing
- .file_type is 'unknown'
- .content_type is 'application/octet-stream'
- .size < 100000000
any of
file.explode(.)where all hold:- .file_extension in ('doc', 'docm', 'docx', 'dot', 'dotm', 'xls', 'xlsx', 'xlsm', 'xlm', 'xlsb', 'xlt', 'xltm', 'ppt', 'pptx', 'pptm', 'ppsm')
any of
.scan.exiftool.fieldswhere all hold:- .key is 'Tag_AssemblyLocation'
- .value matches '*.vsto*'
not:
- .value matches 'C:\\Program Files*'
not:
any of
$org_domainswhere:- strings.contains(.value)
any of:
not:
- profile.by_sender().solicited
all of:
- length(headers.reply_to) > 0
all of
headers.reply_towhere:- .email.email not in $recipient_emails
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_type, attachments[].size, headers.reply_to, headers.reply_to[].email.email, type.inbound. Sensors: file.explode, profile.by_sender, strings.contains, strings.ilike. Reference lists: $file_extensions_common_archives, $file_extensions_macros, $org_domains, $recipient_emails.
Indicators matched (21)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | unknown |
attachments[].content_type | equals | application/octet-stream |
file.explode(attachments[])[].file_extension | member | doc |
file.explode(attachments[])[].file_extension | member | docm |
file.explode(attachments[])[].file_extension | member | docx |
file.explode(attachments[])[].file_extension | member | dot |
file.explode(attachments[])[].file_extension | member | dotm |
file.explode(attachments[])[].file_extension | member | xls |
file.explode(attachments[])[].file_extension | member | xlsx |
file.explode(attachments[])[].file_extension | member | xlsm |
file.explode(attachments[])[].file_extension | member | xlm |
file.explode(attachments[])[].file_extension | member | xlsb |
9 more
file.explode(attachments[])[].file_extension | member | xlt |
file.explode(attachments[])[].file_extension | member | xltm |
file.explode(attachments[])[].file_extension | member | ppt |
file.explode(attachments[])[].file_extension | member | pptx |
file.explode(attachments[])[].file_extension | member | pptm |
file.explode(attachments[])[].file_extension | member | ppsm |
file.explode(attachments[])[].scan.exiftool.fields[].key | equals | Tag_AssemblyLocation |
strings.ilike | substring | *.vsto* |
strings.ilike | substring | C:\Program Files* |