Detection rules › Panther
Malware Detected in Email
Detects when malware is found in an email received by a user. Identifies different malware families including known malicious programs, viruses, worms, harmful content, and unwanted content. Severity is dynamically assigned based on the malware type, with known malicious programs and viruses triggering high-severity alerts.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566.001 Phishing: Spearphishing Attachment |
| Execution | T1204.002 User Execution: Malicious File |
Rule body yaml
AnalysisType: rule
Filename: gsuite_malware_in_email.py
RuleID: "GSuite.Gmail.Malware.In.Email"
DisplayName: "Malware Detected in Email"
Enabled: true
LogTypes:
- GSuite.ActivityEvent
Tags:
- GSuite
- Gmail
- Malware
- Initial Access
Reports:
MITRE ATT&CK:
- TA0001:T1566.001 # Initial Access: Phishing - Spearphishing Attachment
- TA0011:T1204.002 # Execution: User Execution - Malicious File
Severity: High
Description: >
Detects when malware is found in an email received by a user. Identifies different malware families including known malicious programs, viruses, worms, harmful content, and unwanted content. Severity is dynamically assigned based on the malware type, with known malicious programs and viruses triggering high-severity alerts.
Runbook: |
1. Review the malware type and affected user
2. Check if the email was quarantined or delivered
3. Verify if the user interacted with the email or opened attachments
4. Check for similar emails to other users in the organization
5. Consider blocking the sender domain if appropriate
6. Notify the affected user and provide security awareness guidance
Reference: https://support.google.com/a/answer/12384955
DedupPeriodMinutes: 60
Tests:
- Name: Known Malicious Program Detected
ExpectedResult: true
Log:
{
"p_any_ip_addresses": ["1.1.1.1"],
"p_any_actor_ids": ["1234567891234"],
"p_any_domain_names": ["malicious-sender.com"],
"p_event_time": "2025-11-04 20:44:43.248000000",
"p_log_type": "GSuite.ActivityEvent",
"p_parse_time": "2025-11-04 20:49:46.688935963",
"p_row_id": "0000000000de09c1dc6f0828cbad2ca5",
"p_schema_version": 0,
"p_source_id": "7ee69d4d-df1b-40b3-b5e8-6826dee34b1c",
"p_source_label": "Google Workspace",
"actor": {
"callerType": "USER",
"email": "oliver@justice.org",
"profileId": "123456789"
},
"id": {
"applicationName": "gmail",
"customerId": "C12345",
"time": "2025-11-04 20:44:43.248000000",
"uniqueQualifier": "-123456789"
},
"ipAddress": "1.1.1.1",
"kind": "admin#reports#activity",
"name": "delivery",
"parameters": {
"event_info": {
"elapsed_time_usec": 368746,
"timestamp_usec": 1730751883248347
},
"message_info": {
"action_type": 19,
"subject": "Important Invoice Attached",
"num_message_attachments": 1,
"payload_size": 54321,
"link_domain": ["malicious-sender.com"],
"attachment": {
"malware_family": 1,
"file_name": "invoice.exe",
"sha256": "000000000045c5798d026b67c03d54273fd0996f5cb789d0a959dac0c7cc456c"
}
}
},
"type": "delivery_type"
}
- Name: Virus or Worm Detected
ExpectedResult: true
Log:
{
"p_event_time": "2025-11-04 20:45:00.000000000",
"p_log_type": "GSuite.ActivityEvent",
"actor": {
"callerType": "USER",
"email": "john@justice.org",
"profileId": "987654321"
},
"id": {
"applicationName": "gmail",
"customerId": "C12345",
"time": "2025-11-04 20:45:00.000000000"
},
"ipAddress": "1.1.1.1",
"kind": "admin#reports#activity",
"name": "delivery",
"parameters": {
"message_info": {
"subject": "RE: Meeting Notes",
"is_spam": false,
"num_message_attachments": 1,
"attachment": {
"malware_family": 2,
"file_name": "notes.doc",
"sha256": "b2c3d4e5f6789012345678901234567890123456789012345678901234abcde"
}
}
},
"type": "delivery_type"
}
- Name: Possible Harmful Content
ExpectedResult: true
Log:
{
"p_event_time": "2025-11-04 20:46:00.000000000",
"p_log_type": "GSuite.ActivityEvent",
"actor": {
"callerType": "USER",
"email": "hal@justice.org",
"profileId": "111222333"
},
"id": {
"applicationName": "gmail",
"customerId": "C12345",
"time": "2025-11-04 20:46:00.000000000"
},
"ipAddress": "1.1.1.1",
"kind": "admin#reports#activity",
"name": "delivery",
"parameters": {
"message_info": {
"subject": "Urgent: Click here now",
"link_domain": ["suspicious-link.com"],
"attachment": {
"malware_family": 3,
"file_name": "update.zip",
"sha256": "c3d4e5f6789012345678901234567890123456789012345678901234abcdef"
}
}
},
"type": "delivery_type"
}
- Name: Possible Unwanted Content
ExpectedResult: true
Log:
{
"p_event_time": "2025-11-04 20:47:00.000000000",
"p_log_type": "GSuite.ActivityEvent",
"actor": {
"callerType": "USER",
"email": "barry@justice.org",
"profileId": "444555666"
},
"id": {
"applicationName": "gmail",
"customerId": "C12345",
"time": "2025-11-04 20:47:00.000000000"
},
"ipAddress": "1.1.1.1",
"kind": "admin#reports#activity",
"name": "delivery",
"parameters": {
"message_info": {
"subject": "Free Software Download",
"is_spam": true,
"attachment": {
"malware_family": 4,
"file_name": "freeware.exe",
"sha256": "d4e5f6789012345678901234567890123456789012345678901234abcdef0"
}
}
},
"type": "delivery_type"
}
- Name: Other Malware Type
ExpectedResult: true
Log:
{
"p_event_time": "2025-11-04 20:48:00.000000000",
"p_log_type": "GSuite.ActivityEvent",
"actor": {
"callerType": "USER",
"email": "bruce@justice.org",
"profileId": "777888999"
},
"id": {
"applicationName": "gmail",
"customerId": "C12345",
"time": "2025-11-04 20:48:00.000000000"
},
"ipAddress": "1.1.1.1",
"kind": "admin#reports#activity",
"name": "delivery",
"parameters": {
"message_info": {
"subject": "Encrypted Document",
"attachment": {
"malware_family": 5,
"file_name": "document.pdf",
"sha256": "e5f6789012345678901234567890123456789012345678901234abcdef01"
}
}
},
"type": "delivery_type"
}
- Name: Clean Email No Malware
ExpectedResult: false
Log:
{
"p_event_time": "2025-11-04 20:50:00.000000000",
"p_log_type": "GSuite.ActivityEvent",
"actor": {
"callerType": "USER",
"email": "john@justice.org",
"profileId": "123123123"
},
"id": {
"applicationName": "gmail",
"customerId": "C12345",
"time": "2025-11-04 20:50:00.000000000"
},
"ipAddress": "1.1.1.1",
"kind": "admin#reports#activity",
"name": "delivery",
"parameters": {
"message_info": {
"subject": "Team Lunch Tomorrow",
"is_spam": false,
"action_type": 19
}
},
"type": "delivery_type"
}
- Name: Non-Gmail Application Event
ExpectedResult: false
Log:
{
"p_event_time": "2025-11-04 20:51:00.000000000",
"p_log_type": "GSuite.ActivityEvent",
"actor": {
"callerType": "USER",
"email": "diana@justice.org",
"profileId": "999888777"
},
"id": {
"applicationName": "drive",
"customerId": "C12345",
"time": "2025-11-04 20:51:00.000000000"
},
"ipAddress": "1.1.1.1",
"kind": "admin#reports#activity",
"name": "upload",
"parameters": {
"doc_title": "Important Document.pdf"
},
"type": "access"
}
Detection logic
Condition
id.applicationName eq "gmail"
parameters.message_info.attachment.malware_family is_not_null
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
id.applicationName | eq |
|
parameters.message_info.attachment.malware_family | is_not_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
recipient | actor.email |
malware_family_code | parameters.message_info.attachment.malware_family |
source_ip | ipAddress |
sha256 | parameters.message_info.attachment.sha256 |
filename | parameters.message_info.attachment.file_name |