opening of headers or footers in email signatures that include svg images or legitimate svg attachments

t1566
t1566.001
windows
sigma

Techniques

t1566
t1566.001

Sample rules

Suspicious File Created in Outlook Temporary Directory

source: sigma
technicques:
- t1566
- t1566.001

Description

Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.

Detection logic

condition: all of selection_*
selection_extension:
  TargetFilename|endswith:
  - .cpl
  - .hta
  - .iso
  - .rdp
  - .svg
  - .vba
  - .vbe
  - .vbs
selection_location:
- TargetFilename|contains:
  - \AppData\Local\Packages\Microsoft.Outlook_
  - \AppData\Local\Microsoft\Olk\Attachments\
- TargetFilename|contains|all:
  - \AppData\Local\Microsoft\Windows\
  - \Content.Outlook\