-
Notifications
You must be signed in to change notification settings - Fork 0
/
o365_html_attachments.yml
34 lines (34 loc) · 1 KB
/
o365_html_attachments.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
title: HTML Attachment in Email
id: 8540b9c6-4f7a-4521-b04f-c68d1f71eabd
description: HTM and HTML attachments found in an O365 email
status: experimental
date: 2022/12/23
author: Josh Nickels
references:
- https://asec.ahnlab.com/en/44662/
- https://news.trendmicro.com/2022/10/31/html-email-attachments-phishing-scam/
- https://www.avanan.com/blog/phishing-trend-targeting-office-365-uses-html-attachments
logsource:
category: AdvancedHunting
service: EmailAttachmentInfo
product: m365
detection:
selection1:
sourcetype:
- "AdvancedHunting:EmailAttachmentInfo"
- "AdvancedHunting:EmailEvents"
selection2:
- "html"
- "htm"
selection3:
- "Delivered"
filter:
- "Delivered as Spam"
- "Blocked"
condition: (selection1 and selection2 and selection3) and not filter
falsepositives:
- Legitimate buisness need for .htm and .html attachment types
level: low
tags:
- attack.initial_access
- attack.t1566.001