Detection: Suspicious Email Attachment Extensions

EXPERIMENTAL DETECTION

This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.

Updated Date: 2025-01-21 ID: 473bd65f-06ca-4dfe-a2b8-ba04ab4a0084 Author: David Dorsey, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects emails containing attachments with suspicious file extensions. It leverages the Email data model in Splunk, using the tstats command to identify emails where the attachment filename is not empty. This detection is significant for SOC analysts as it highlights potential phishing or malware delivery attempts, which are common vectors for data breaches and malware infections. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, system compromise, or data exfiltration. Immediate review and analysis of the identified emails and attachments are crucial to mitigate these risks.

1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id 
3| `security_content_ctime(firstTime)` 
4| `security_content_ctime(lastTime)` 
5| `drop_dm_object_name("All_Email")` 
6| `suspicious_email_attachments` 
7| `suspicious_email_attachment_extensions_filter`

Data Source

No data sources specified for this detection.

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
suspicious_email_attachment_extensions_filter search *
suspicious_email_attachment_extensions_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1566.001 Spearphishing Attachment Initial Access
T1566 Phishing Initial Access
Delivery
DE.AE
CIS 13

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. Splunk Phantom Playbook Integration If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk https://splunkbase.splunk.com/app/3411/, and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The finding event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.'

Known False Positives

None identified

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

Suspicious attachment from $src_user$

Risk Object Risk Object Type Risk Score Threat Objects
user user 25 No Threat Objects

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Not Applicable N/A N/A N/A
Unit ❌ Failing N/A N/A N/A
Integration ❌ Failing N/A N/A N/A

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 6