Attachment: Office file with document sharing and browser instruction lures

Severity: high
Type: rule
Source: github.com/sublime-security/sublime-rules

Detects macro-enabled attachments containing document sharing language (sent, shared, forwarded) combined with browser interaction instructions (copy, right-click) or common email disclaimers. These tactics are often used to trick users into enabling macros or following malicious instructions.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	Social engineering, Evasion

Event coverage

Message attribute
attachments (collection)
type

Rule body MQL

type.inbound
and any(filter(attachments,
               .file_extension in $file_extensions_macros
               // limit the size to reduce FPs, the larger the document, the more likely it is for FPs on benign automated reports
               and .size < 2000000
        ),
        // Detection Note: There are multiple regex patterns used in multiple places, it'll be important to keep them in sync
        any(file.explode(.),
            // document sharing lure
            (
              length(.scan.strings.raw, ) < 1000
              and regex.icontains(.scan.strings.raw,
                                  '(?:sent|shared|forwarded|provided|invited|received)(?:\s+\w+){0,9}\s+(?:document|file|attachment)',
              )
            )

            // ocr output
            or (
              length(.scan.ocr.raw) < 1000
              and regex.icontains(.scan.ocr.raw,
                                  '(?:sent|shared|forwarded|provided|invited|received)(?:\s+\w+){0,9}\s+(?:document|file|attachment)',
              )
            )
            or (
              length(.scan.ocr.raw) < 500
              and strings.ends_with(.scan.ocr.raw, 'REVIEW DOCUMENTS')
            )
        )
        // copy/paste stuff or disclaimer text in the OCR output
        and (
          any(file.explode(.),
              (
                length(.scan.strings.raw, ) < 1000
                and (
                  regex.icontains(.scan.strings.raw,
                                  '(?:copy (?:and paste)?|right.?click)(?:\s+\w+\s*){0,9}browser',
                                  'click.{0,50}(?:above|below|button) to (?:access|open)'
                  )
                )
              )

              // ocr output
              or (
                length(.scan.ocr.raw) < 1000
                and (
                  regex.icontains(.scan.ocr.raw,
                                  '(?:copy (?:and paste)?|right.?click)(?:\s+\w+\s*){0,9}browser',
                                  'click.{0,50}(?:above|below|button) to (?:access|open)'
                  )
                )
              )
              or 5 of (
                strings.icontains(.scan.ocr.raw,
                                  'confidential and intended solely'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'intended solely for the use of'
                ),
                strings.icontains(.scan.ocr.raw, 'intended only for the people'),
                strings.icontains(.scan.ocr.raw, 'intended recipient'),
                strings.icontains(.scan.ocr.raw, 'received this email in error'),
                strings.icontains(.scan.ocr.raw,
                                  'notify the sender immediately'
                ),
                strings.icontains(.scan.ocr.raw, 'delete it from your system'),
                strings.icontains(.scan.ocr.raw, 'delete the email from'),
                strings.icontains(.scan.ocr.raw, 'virus-free'),
                strings.icontains(.scan.ocr.raw, 'scan for viruses'),
                strings.icontains(.scan.ocr.raw, 'legally binding agreement'),
                strings.icontains(.scan.ocr.raw, 'informational purposes only'),
                strings.icontains(.scan.ocr.raw,
                                  'any attachments are confidential'
                ),
                strings.icontains(.scan.ocr.raw, 'loss or damage arising'),
                strings.icontains(.scan.ocr.raw, 'responsibility for any loss'),
                strings.icontains(.scan.ocr.raw, 'unauthorised and prohibited'),
                strings.icontains(.scan.ocr.raw, 'subject to legal privilege'),
                strings.icontains(.scan.ocr.raw,
                                  'The information contained in or attached'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'The information contained in this email'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'people to whom it is addressed'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'received this in error, please inform'
                ),
                strings.icontains(.scan.ocr.raw, 'inform the sender and/or'),
                strings.icontains(.scan.ocr.raw,
                                  'immediately and delete the material'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'then delete the email from your inbox'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'confidential and/or privileged material'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'confidential and / or legally privileged'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'The information transmitted is intended'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'other than the intended recipient is prohibited'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'intended for use by the addressee'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'taking of any action in reliance upon'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'distribution is strictly prohibited'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'communication from the sender is confidential'
                ),
                strings.icontains(.scan.ocr.raw, 'use by the recipient'),
                strings.icontains(.scan.ocr.raw,
                                  'and others authorized to receive it'
                ),
                strings.icontains(.scan.ocr.raw, 'you are hereby notified'),
                strings.icontains(.scan.ocr.raw,
                                  'action in relation of the contents of this information'
                ),
                strings.icontains(.scan.ocr.raw,
                                  'The information contained in this'
                ),
                strings.icontains(.scan.ocr.raw, 'you are not the recipient'),
                strings.icontains(.scan.ocr.raw, 'may be unlawful'),
              )
          )
        )
)

Detection logic

Scope: inbound message.

inbound message
any of filter(attachments) where all hold:
- any of file.explode(.) where any holds:
  - all of:
    
    length(.scan.strings.raw) < 1000
    .scan.strings.raw matches '(?:sent|shared|forwarded|provided|invited|received)(?:\\s+\\w+){0,9}\\s+(?:document|file|attachment)'
  - all of:
    
    length(.scan.ocr.raw) < 1000
    .scan.ocr.raw matches '(?:sent|shared|forwarded|provided|invited|received)(?:\\s+\\w+){0,9}\\s+(?:document|file|attachment)'
  - all of:
    
    length(.scan.ocr.raw) < 500
    .scan.ocr.raw ends with 'REVIEW DOCUMENTS'
- any of file.explode(.) where any holds:
  - all of:
    
    length(.scan.strings.raw) < 1000
    .scan.strings.raw matches any of 2 patterns
    
    (?:copy (?:and paste)?|right.?click)(?:\s+\w+\s*){0,9}browser
    click.{0,50}(?:above|below|button) to (?:access|open)
  - all of:
    
    length(.scan.ocr.raw) < 1000
    .scan.ocr.raw matches any of 2 patterns
    
    (?:copy (?:and paste)?|right.?click)(?:\s+\w+\s*){0,9}browser
    click.{0,50}(?:above|below|button) to (?:access|open)
  - at least 5 of 39: .scan.ocr.raw contains any of 39 patterns
    
    confidential and intended solely
    intended solely for the use of
    intended only for the people
    intended recipient
    received this email in error
    notify the sender immediately
    delete it from your system
    delete the email from
    virus-free
    scan for viruses
    legally binding agreement
    informational purposes only
    any attachments are confidential
    loss or damage arising
    responsibility for any loss
    unauthorised and prohibited
    subject to legal privilege
    The information contained in or attached
    The information contained in this email
    people to whom it is addressed
    received this in error, please inform
    inform the sender and/or
    immediately and delete the material
    then delete the email from your inbox
    confidential and/or privileged material
    confidential and / or legally privileged
    The information transmitted is intended
    other than the intended recipient is prohibited
    intended for use by the addressee
    taking of any action in reliance upon
    distribution is strictly prohibited
    communication from the sender is confidential
    use by the recipient
    and others authorized to receive it
    you are hereby notified
    action in relation of the contents of this information
    The information contained in this
    you are not the recipient
    may be unlawful

Inspects: attachments[].file_extension, attachments[].size, type.inbound. Sensors: file.explode, regex.icontains, strings.ends_with, strings.icontains. Reference lists: $file_extensions_macros.

Indicators matched (43)

Field	Match	Value
`regex.icontains`	regex	`(?:sent\|shared\|forwarded\|provided\|invited\|received)(?:\s+\w+){0,9}\s+(?:document\|file\|attachment)`
`strings.ends_with`	suffix	`REVIEW DOCUMENTS`
`regex.icontains`	regex	`(?:copy (?:and paste)?\|right.?click)(?:\s+\w+\s*){0,9}browser`
`regex.icontains`	regex	`click.{0,50}(?:above\|below\|button) to (?:access\|open)`
`strings.icontains`	substring	`confidential and intended solely`
`strings.icontains`	substring	`intended solely for the use of`
`strings.icontains`	substring	`intended only for the people`
`strings.icontains`	substring	`intended recipient`
`strings.icontains`	substring	`received this email in error`
`strings.icontains`	substring	`notify the sender immediately`
`strings.icontains`	substring	`delete it from your system`
`strings.icontains`	substring	`delete the email from`

31 more

`strings.icontains`	substring	`virus-free`
`strings.icontains`	substring	`scan for viruses`
`strings.icontains`	substring	`legally binding agreement`
`strings.icontains`	substring	`informational purposes only`
`strings.icontains`	substring	`any attachments are confidential`
`strings.icontains`	substring	`loss or damage arising`
`strings.icontains`	substring	`responsibility for any loss`
`strings.icontains`	substring	`unauthorised and prohibited`
`strings.icontains`	substring	`subject to legal privilege`
`strings.icontains`	substring	`The information contained in or attached`
`strings.icontains`	substring	`The information contained in this email`
`strings.icontains`	substring	`people to whom it is addressed`
`strings.icontains`	substring	`received this in error, please inform`
`strings.icontains`	substring	`inform the sender and/or`
`strings.icontains`	substring	`immediately and delete the material`
`strings.icontains`	substring	`then delete the email from your inbox`
`strings.icontains`	substring	`confidential and/or privileged material`
`strings.icontains`	substring	`confidential and / or legally privileged`
`strings.icontains`	substring	`The information transmitted is intended`
`strings.icontains`	substring	`other than the intended recipient is prohibited`
`strings.icontains`	substring	`intended for use by the addressee`
`strings.icontains`	substring	`taking of any action in reliance upon`
`strings.icontains`	substring	`distribution is strictly prohibited`
`strings.icontains`	substring	`communication from the sender is confidential`
`strings.icontains`	substring	`use by the recipient`
`strings.icontains`	substring	`and others authorized to receive it`
`strings.icontains`	substring	`you are hereby notified`
`strings.icontains`	substring	`action in relation of the contents of this information`
`strings.icontains`	substring	`The information contained in this`
`strings.icontains`	substring	`you are not the recipient`
`strings.icontains`	substring	`may be unlawful`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)