Detect MIME MSO Base64 encoded ActiveMime file

Hunt Hypothesis

Adversaries may encode malicious ActiveMime files using MIME MSO Base64 to evade basic detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential obfuscation tactics used in advanced persistent threats.

YARA Rule

rule MIME_MSO_ActiveMime_base64 : maldoc
{
	meta:
		author = "Martin Willing (https://evild3ad.com)"
		description = "Detect MIME MSO Base64 encoded ActiveMime file"
		date = "2016-02-28"
		filetype = "Office documents"
		
	strings:
		$mime = "MIME-Version:"
		$base64 = "Content-Transfer-Encoding: base64"
		$mso = "Content-Type: application/x-mso"
		$activemime = /Q(\x0D\x0A|)W(\x0D\x0A|)N(\x0D\x0A|)0(\x0D\x0A|)a(\x0D\x0A|)X(\x0D\x0A|)Z(\x0D\x0A|)l(\x0D\x0A|)T(\x0D\x0A|)W/
	
	condition:
		$mime at 0 and $base64 and $mso and $activemime
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Backup Job Compressing Office Documents
  Description: A scheduled backup job compresses and archives Office documents using a tool like 7-Zip or WinRAR, which may encode files in MIME format during compression.
  Filter/Exclusion: Exclude files with a .zip or .7z extension, or filter by process name like 7z.exe or WinRAR.exe.

• Scenario: Email Server Processing MIME Encoded Attachments
  Description: An email server (e.g., Microsoft Exchange or Postfix) processes MIME-encoded attachments, which may trigger the rule due to Base64 encoding.
  Filter/Exclusion: Exclude traffic from known email servers or filter by source IP ranges associated with email gateways.

• Scenario: System Update or Patch Deployment Using Base64 Encoding
  Description: A system update or patch deployment tool (e.g., Microsoft SCCM, Ansible, or Chef) may encode payloads in Base64 during distribution.
  Filter/Exclusion: Exclude files with known update or patch file extensions (e.g., .msu, .msp, .exe) or filter by process names like ccmexec.exe or ansible.

• Scenario: Log File Conversion Using Base64 Encoding
  Description: A log management tool (e.g., Splunk, ELK Stack, or Graylog) may encode log data in Base64 during processing or transmission.
  Filter/Exclusion: Exclude files or processes related to log management tools, or filter by log file extensions like .log, .json, or .csv.

• Scenario: Admin Task Exporting Reports in MIME Format
  Description: An admin task (e.g., using PowerShell, Python, or SQL Server Reporting Services) exports reports in