-
Notifications
You must be signed in to change notification settings - Fork 6
/
attachment_pdf_activemime_polyglot.yml
40 lines (36 loc) · 1.26 KB
/
attachment_pdf_activemime_polyglot.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: "Attachment: PDF with embedded MHT using ActiveMime objects (Unsolicited)"
description: |
Detection of PDF files with indicators of embedded Word MHT files using ActiveMime.
type: "rule"
severity: "high"
authors:
- twitter: "delivr_to"
references:
- https://delivr.to/payloads?id=d93ea8ea-d421-4a1e-955b-a346a9eefa23
source: |
type.inbound
and any(attachments,
(
// PDF is a direct attachment or this is an archive format
(
.file_extension == "pdf" and
.file_type == "pdf"
) or
.file_extension in $file_extensions_common_archives
) and
any(file.explode(.),
// The file is a PDF but has indicators of MHT with ActiveMime
.file_extension == "pdf" and
any(.scan.strings.strings, strings.ilike(., "*mime*")) and
any(.scan.strings.strings, strings.ilike(., "*content-location*")) and
any(.scan.strings.strings, strings.ilike(., "*content-type*")) and
// Specifically a macro definition
any(.scan.strings.strings, strings.ilike(., "*Edit-Time-Data*"))
)
)
and (
not profile.by_sender_email().solicited
or sender.email.domain.domain == "delivrto.me"
)
tags:
- "Suspicious Attachment"