Detection rules › Sublime MQL
Suspicious VBA macros from untrusted sender
Detects any VBA macro attachment that scores above a medium confidence threshold in the Sublime Macro Classifier.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware |
| Tactics and techniques | Macros |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| type |
Rule body MQL
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and ml.macro_classifier(.).malicious
and ml.macro_classifier(.).confidence in ("high")
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Detection logic
Scope: inbound message.
Detects any VBA macro attachment that scores above a medium confidence threshold in the Sublime Macro Classifier.
- inbound message
any of
attachmentswhere all hold:any of:
- .file_extension in $file_extensions_macros
all of:
- .file_extension is missing
- .file_type is 'unknown'
- .content_type is 'application/octet-stream'
- .size < 100000000
- ml.macro_classifier(.).malicious
- ml.macro_classifier(.).confidence in ('high')
any of:
- profile.by_sender().prevalence in ('new', 'outlier')
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_type, attachments[].size, type.inbound. Sensors: ml.macro_classifier, profile.by_sender. Reference lists: $file_extensions_macros.
Indicators matched (2)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | unknown |
attachments[].content_type | equals | application/octet-stream |