heroui logo

Attachment with VBA macros from employee impersonation (unsolicited)

Sublime Rules

View Source
Summary
This detection rule identifies potential phishing attempts involving attachments containing VBA macros, specifically when the sender impersonates an employee within the organization. The rule checks for emails where the display name of the sender matches that of an existing employee but is from an address the organization has no prior interactions with. It further evaluates if the email includes attachments that may contain malicious VBA macros, a common malware deployment technique. The rule incorporates various criteria, including evaluating file extensions, attachment content types, and sender domains, to classify the email as unsolicited and potentially harmful. The use of this detection method answers to prevalent malware and ransomware techniques seen in social engineering attacks.
Categories
  • Web
  • Endpoint
  • Identity Management
Data Sources
  • User Account
  • Application Log
  • File
Created: 2021-10-28