Create attachment_eml_encrypted_zip.yml (#2990)

Co-authored-by: ID Generator <[email protected]>

Author: zoomequipd

detection-rules/attachment_eml_encrypted_zip.yml

@@ -0,0 +1,30 @@
+name: "Attachment: EML with Encrypted ZIP"
+description: "Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  // attached EML
+  and any(filter(attachments, .content_type == "message/rfc822"),
+          // Attached EML contains a ZIP file
+          any(filter(file.parse_eml(.).attachments,
+                     .file_type == "zip" or .file_extension == "zip"
+              ),
+              // ZIP file is encrypted
+              any(file.explode(.),
+                  any(.flavors.yara, . == 'encrypted_zip') or .scan.zip.encrypted
+              )
+          )
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Encryption"
+  - "Evasion"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "YARA"
+id: "6897a8f7-da66-52ed-a39e-d8c643e78fe9"