Sublime-Message-attachments

1 attribute group in the attachments section of the Sublime Message Data Model. Each is addressed by its dotted attribute path, not a numbered event.

Attribute group	Description
`attachments (collection)`	Message Data Model attribute: attachments

`attachments (collection)`

Section: Sublime-Message-attachments

Description

Message Data Model attribute: attachments

Fields #

Name	Description
`content_id`	Content-ID extracted from the MIME payload; is stripped of leading and trailing <> characters
`content_type`	Content-Type extracted from the MIME payload
`file_extension`	File extension from context such as headers
`file_name`	File name
`file_type`	File type determined by looking at the magic bytes in the file
`md5`	MD5 hash of the raw contents
`sha1`	SHA1 hash of the raw contents
`sha256`	SHA256 hash of the raw contents
`size`	Size of the file in bytes

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Attachment: 7z Archive Containing RAR File source medium: Detects 7z archive attachments that contain RAR files, which may be used to evade detection by nesting compressed file formats.
Attachment: Adobe image lure in body or attachment with suspicious link source medium: Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.
Brand impersonation: Adobe (QR code) source high: Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Show 17 more (364 total)

Attachment: Any HTML file within archive (unsolicited) source medium: Recursively scans archives to detect HTML files from unsolicited senders. HTML files can be used for HTML smuggling and embedded in archives to evade detection.
Attachment: Any HTML file (untrusted sender) source medium: Potential HTML smuggling attacks from new senders. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.
Attachment: Any HTML file (unsolicited) source low: Potential HTML smuggling attacks in unsolicited messages. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.
Attachment: Any .sap file (unsolicited) source low: SAP shortcut files can be abused to run unsanctioned code on endpoints. Use if receiving .sap files is not normal behavior in your environment.
Attachment: Archive containing HTML file with file scheme link source high: Attached archive contains an HTML file with a file:// link, likely pointing to an SMB server. This technique can be used to steal NTLM hashes of users who open the HTML file. Known technique of TA577.
Attachment: Archive with embedded CHM file source medium: Recursively scans files and archives to detect embedded CHM (Microsoft Compiled HTML Help) files. According to CERT-UA, on March 7, 2022, phishing attacks targeted state organizations of Ukraine using Zip files with embedded CHM documents, which themselves contained malicious VBScript inside a .htm file. The activity is associated with UNC1151, according to CERT-UA.
Attachment: Archive with embedded EXE file source high: Recursively scans files and archives to detect embedded EXE files (with an MZ header). According to The Record, on June 7, 2021, the Ukrainian Secret Service attributed an attack that used this technique to the "special services of the Russian Federation". The spear-phishing operation urged recipients to download a RAR archive included in the email, which, when decompressed, would drop an EXE file with a double extension (filename.pdf.exe) that tried to pass as a PDF file.
Attachment: Archive with pdf, txt and wsf files source medium: Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1
Attachment: Base64 encoded bash command in filename source high: This rule detects a fileless attack technique where a malicious payload is encoded directly into a filename. This technique is used by threats like VShell. The rule is designed to find these malicious filenames both in direct attachments and within archived files (like .zip, .rar, etc.).
Attachment: Callback phishing solicitation via text-based file source medium: Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.
Attachment: Callback phishing solicitation via image file source high: A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Attachment: Callback phishing solicitation via pdf file source high: A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Attachment: cmd file extension source low: Detects messages containing CMD (Command Prompt) batch files, either as direct attachments or within compressed archives. CMD files can execute arbitrary system commands and are commonly used to deliver malware or perform unauthorized system modifications.
Credential phishing: Image as content, short or no body contents source medium: This rule identifies incoming messages with minimal links, all image attachments and either empty, brief or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition to high-confidence credit theft intentions.
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability source high: Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.
Attachment: Zip exploiting CVE-2023-38831 (unsolicited) source critical: A Zip attachment that exhibits attributes required to exploit CVE-2023-38831, a vulnerability in WinRAR (prior to 6.23).
Attachment: Archive containing disallowed file type source low: Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives. Attackers often embed malicious files within archives to bypass email gateway controls.

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)