Skip to content

Add detection rule for MSG files with VBA macros#3896

Open
peterdj45 wants to merge 4 commits intomainfrom
peter.new.attachment_msg_macros
Open

Add detection rule for MSG files with VBA macros#3896
peterdj45 wants to merge 4 commits intomainfrom
peter.new.attachment_msg_macros

Conversation

@peterdj45
Copy link
Copy Markdown
Member

@peterdj45 peterdj45 commented Jan 29, 2026

Description

This rule detects MSG file attachments that contain VBA macros with medium to high risk indicators, which can be used to deliver malicious code.

Associated samples

Associated hunts

@peterdj45
Add detection rule for MSG files with VBA macros
8eba48a 
This rule detects MSG file attachments that contain VBA macros with medium to high risk indicators, which can be used to deliver malicious code.
@peterdj45 peterdj45 requested a review from a team as a code owner January 29, 2026 10:34
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label Jan 29, 2026
github-actions Bot added a commit that referenced this pull request Jan 29, 2026
@github-actions
[PR #3896] added rule: Attachment: MSG file with VBA macros
cfef33e
github-actions Bot added a commit that referenced this pull request Jan 29, 2026
@github-actions
[PR #3896] added rule: PR# 3896 - Attachment: MSG file with VBA macros
fef207b
@peterdj45
Add tags for attack surface reduction
d3c4482 
Added tags for attack surface reduction to the detection rules.
@peterdj45 peterdj45 requested a review from a team February 4, 2026 18:41
@peterdj45
Copy link
Copy Markdown
Member Author

peterdj45 commented Feb 4, 2026
edited
Loading

hasn't fired in test rules yet. changing to ASR

github-actions Bot added a commit that referenced this pull request Feb 4, 2026
@github-actions
[PR #3896] modified rule: Attachment: MSG file with VBA macros
9f6a3ad
github-actions Bot added a commit that referenced this pull request Feb 4, 2026
@github-actions
[PR #3896] modified rule: PR# 3896 - Attachment: MSG file with VBA ma…
0674b4f 
…cros
@peterdj45 peterdj45 added the review-needed Indicates that a PR is waiting for review label Feb 4, 2026
@IndiaAce
Copy link
Copy Markdown
Member

IndiaAce commented Feb 5, 2026

Hello! Just some thoughts here while reviewing. Since this only matched 1 email, the scope might be a little too tight. There's an opportunity here to use this rule and modify it to account for this file_type/extension I ran a hunt for this proposed logic... not necessarily saying this is 100% the fix but it might be a starting point here. Happy to hear your case if you want this to be a separate rule, but I'm going to remove the review-needed tab for the time being. LMK your thoughts.

@IndiaAce IndiaAce removed the review-needed Indicates that a PR is waiting for review label Feb 5, 2026
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request Apr 8, 2026
@github-actions
[Test Rules] [PR sublime-security#3896] added rule: Attachment: MSG f…
61dac87 
…ile with VBA macros
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@peterdj45 @IndiaAce