From a002518f126c304990c3145c86d842c620b73c7f Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Wed, 22 Oct 2025 08:35:19 -0700 Subject: [PATCH 1/3] Create attachment_any_sap_unsolicited.yml --- .../attachment_any_sap_unsolicited.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 detection-rules/attachment_any_sap_unsolicited.yml diff --git a/detection-rules/attachment_any_sap_unsolicited.yml b/detection-rules/attachment_any_sap_unsolicited.yml new file mode 100644 index 00000000000..899a7e49e3d --- /dev/null +++ b/detection-rules/attachment_any_sap_unsolicited.yml @@ -0,0 +1,34 @@ +name: "Attachment: Any .sap file (unsolicited)" +description: "SAP shortcut files can be abused to run unsanctioned code on endpoints. Use if receiving .sap files is not normal behavior in your environment." +references: + - "https://onapsis.com/blog/sap-shortcut-phishing-threat/" +type: "rule" +severity: "low" +source: | + type.inbound + and any(attachments, .file_extension in~ ('sap')) + and ( + not profile.by_sender().solicited + or profile.by_sender().any_messages_malicious_or_spam + ) + and not profile.by_sender().any_messages_benign + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) +tags: + - "Attack surface reduction" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Scripting" +detection_methods: + - "File analysis" + - "Header analysis" + - "Sender analysis" From 79fd9dae8cc522f4ef239fd2268aa5c1062500a0 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Wed, 22 Oct 2025 08:36:10 -0700 Subject: [PATCH 2/3] Update attachment_any_sap_unsolicited.yml --- detection-rules/attachment_any_sap_unsolicited.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_any_sap_unsolicited.yml b/detection-rules/attachment_any_sap_unsolicited.yml index 899a7e49e3d..3f0e3e19e15 100644 --- a/detection-rules/attachment_any_sap_unsolicited.yml +++ b/detection-rules/attachment_any_sap_unsolicited.yml @@ -6,7 +6,7 @@ type: "rule" severity: "low" source: | type.inbound - and any(attachments, .file_extension in~ ('sap')) + and any(attachments, .file_extension == "sap") and ( not profile.by_sender().solicited or profile.by_sender().any_messages_malicious_or_spam From 8d50ce810fc2aa5ae0665a4d277c07e9e93aecbe Mon Sep 17 00:00:00 2001 From: ID Generator Date: Wed, 22 Oct 2025 15:38:07 +0000 Subject: [PATCH 3/3] Auto add rule ID --- detection-rules/attachment_any_sap_unsolicited.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/attachment_any_sap_unsolicited.yml b/detection-rules/attachment_any_sap_unsolicited.yml index 3f0e3e19e15..8e338da4872 100644 --- a/detection-rules/attachment_any_sap_unsolicited.yml +++ b/detection-rules/attachment_any_sap_unsolicited.yml @@ -32,3 +32,4 @@ detection_methods: - "File analysis" - "Header analysis" - "Sender analysis" +id: "220ed3de-1b01-54a4-898d-6081785e2870"