Detection rules › Sublime MQL
Attachment with high risk VBA macro (unsolicited)
Potentially malicious attachment containing a VBA macro. Oletools categorizes the macro risk as 'high'.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware |
| Tactics and techniques | Macros |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| type |
Rule body MQL
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and file.oletools(.).indicators.vba_macros.risk == "high"
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Detection logic
Scope: inbound message.
Potentially malicious attachment containing a VBA macro. Oletools categorizes the macro risk as 'high'.
- inbound message
any of
attachmentswhere all hold:any of:
- .file_extension in $file_extensions_macros
all of:
- .file_extension is missing
- .file_type is 'unknown'
- .content_type is 'application/octet-stream'
- .size < 100000000
- file.oletools(.).indicators.vba_macros.risk is 'high'
any of:
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_type, attachments[].size, type.inbound. Sensors: file.oletools, profile.by_sender. Reference lists: $file_extensions_macros.
Indicators matched (2)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | unknown |
attachments[].content_type | equals | application/octet-stream |