Suspicious Email Attachment Extensions

Status: experimental
Severity: low
Group by: All_Email.file_name, All_Email.file_size, All_Email.message_id, All_Email.message_info, All_Email.orig_dest, All_Email.orig_recipient, All_Email.process, All_Email.process_id, All_Email.src_user
Author: David Dorsey, Splunk
Source: github.com/splunk/security_content

The following analytic detects emails containing attachments with suspicious file extensions. It leverages the Email data model in Splunk, using the tstats command to identify emails where the attachment filename is not empty. This detection is significant for SOC analysts as it highlights potential phishing or malware delivery attempts, which are common vectors for data breaches and malware infections. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, system compromise, or data exfiltration. Immediate review and analysis of the identified emails and attachments are crucial to mitigate these risks.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1566.001` Phishing: Spearphishing Attachment

Rule body splunk

name: Suspicious Email Attachment Extensions
id: 473bd65f-06ca-4dfe-a2b8-ba04ab4a0084
version: 12
creation_date: '2020-04-29'
modification_date: '2026-05-13'
author: David Dorsey, Splunk
status: experimental
type: Anomaly
description: The following analytic detects emails containing attachments with suspicious file extensions. It leverages the Email data model in Splunk, using the tstats command to identify emails where the attachment filename is not empty. This detection is significant for SOC analysts as it highlights potential phishing or malware delivery attempts, which are common vectors for data breaches and malware infections. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, system compromise, or data exfiltration. Immediate review and analysis of the identified emails and attachments are crucial to mitigate these risks.
data_source: []
search: |
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
    as lastTime from datamodel=Email.All_Email where All_Email.file_name="*"
    
    by All_Email.src_user All_Email.file_name All_Email.file_size All_Email.message_id
       All_Email.message_info All_Email.process All_Email.process_id All_Email.orig_dest
       All_Email.orig_recipient
    
    | `drop_dm_object_name(All_Email)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious
    | search suspicious=true
    | `suspicious_email_attachment_extensions_filter`
how_to_implement: |
    You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model.
    **Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in
    your environment, a Playbook called \"Suspicious Email Attachment Investigate and
    Delete\" can be configured to run when any results are found by this detection search.
    To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`,
    and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response
    Actions when configuring this detection search. The finding event will be sent to
    Phantom and the playbook will gather further information about the file attachment
    and its network behaviors. If Phantom finds malicious behavior and an analyst approves
    of the results, the email will be deleted from the user's inbox.'"
known_false_positives: No false positives have been identified at this time.
references: []
intermediate_findings:
    entities:
        - field: user
          type: user
          score: 20
          message: Email attachment $file_name$ with suspicious extension from $src_user$
analytic_story:
    - Data Destruction
    - Emotet Malware DHS Report TA18-201A
    - Hermetic Wiper
    - Suspicious Emails
asset_type: Endpoint
mitre_attack_id:
    - T1566.001
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: application
security_domain: network

Stages and Predicates

Stage 1: `tstats`

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Email.All_Email where All_Email.file_name="*"

by All_Email.src_user All_Email.file_name All_Email.file_size All_Email.message_id
   All_Email.message_info All_Email.process All_Email.process_id All_Email.orig_dest
   All_Email.orig_recipient

Stage 2: `search`

| `drop_dm_object_name(All_Email)`

Stage 3: `search`

| `security_content_ctime(firstTime)`

Stage 4: `search`

| `security_content_ctime(lastTime)`

Stage 5: `lookup`

| lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious

Lookup table: is_suspicious_file_extension_lookup
Key field: file_name
Output columns: ['suspicious', 'suspicious']

Stage 6: `search`

| search suspicious=true

Stage 7: `search`

| `suspicious_email_attachment_extensions_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`All_Email.file_name`	eq	`"*"`
`suspicious`	eq	`true`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Suspicious Email Attachment Extensions

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `search`

Stage 4: `search`

Stage 5: `lookup`

Stage 6: `search`

Stage 7: `search`

Indicators

Keyboard shortcuts

Search operators

Suspicious Email Attachment Extensions

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: tstats

Stage 2: search

Stage 3: search

Stage 4: search

Stage 5: lookup

Stage 6: search

Stage 7: search

Indicators

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `search`

Stage 4: `search`

Stage 5: `lookup`

Stage 6: `search`

Stage 7: `search`