Create attachment_docx_hyperlink_targeting_recipient.yml (#3472)

Co-authored-by: ID Generator <hello@sublimesecurity.com>
Co-authored-by: keaton-sublime <kyle.eaton@sublimesecurity.com>

Author: 3 people

detection-rules/attachment_docx_hyperlink_targeting_recipient.yml

@@ -0,0 +1,33 @@
+name: "Attachment: DOCX with hyperlink targeting recipient address"
+description: "Detects DOCX attachments containing hyperlinks with anchor references that match recipient email addresses. This technique is commonly used to personalize malicious documents and evade detection."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_extension in ('docx', 'docm')),
+          any(filter(file.explode(.),
+                     strings.icontains(.scan.strings.raw, '<w:hyperlink')
+              ),
+              any(regex.iextract(.scan.strings.raw,
+                                 '<w:hyperlink[^\>]*w:anchor="(?P<email_address>[^\"]+)"'
+                  ),
+                  .named_groups["email_address"] == recipients.to[0].email.email
+                  or any(strings.scan_base64(.named_groups["email_address"],
+                                             ignore_padding=true
+                         ),
+                         strings.icontains(., recipients.to[0].email.email)
+                  )
+              )
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Archive analysis"
+  - "XML analysis"
+id: "9ec8fa49-bda9-5e8f-876f-1e53a46d83ca"