Rule to detect the presence of an or several attachments

Hunt Hypothesis

The presence of suspicious attachments in network traffic or stored files may indicate phishing attempts or the delivery of malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential threats hidden within seemingly legitimate email or file-sharing activities.

YARA Rule

rule with_attachment : mail {
	meta:
		author = "Antonio Sanchez <[email protected]>"
		reference = "http://laboratorio.blogs.hispasec.com/"
		description = "Rule to detect the presence of an or several attachments"
	strings:
		$attachment_id = "X-Attachment-Id"
	condition:
		$attachment_id
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• http://laboratorio.blogs.hispasec.com/
• Source Rule

False Positive Guidance

• Scenario: Legitimate email with a PDF attachment
  Description: A user sends a legitimate email with a PDF attachment as part of a business process (e.g., invoice, contract, or report).
  Filter/Exclusion: Use a filter to exclude emails sent from or to known internal domains, or apply a regex to exclude .pdf files in emails from trusted senders (e.g., from:[email protected] or subject:.*Invoice.*).

• Scenario: Scheduled backup job with compressed files
  Description: A scheduled backup job compresses files into a .zip or .tar.gz archive and stores them on a file server. These archives may contain multiple files, triggering the attachment detection rule.
  Filter/Exclusion: Exclude files created by a known backup tool (e.g., Veeam, Commvault) or use a timestamp filter to exclude files created during scheduled backup windows (e.g., file_time >= "2025-04-01 02:00:00").

• Scenario: User uploading a ZIP file for software distribution
  Description: A user uploads a ZIP file containing multiple software components to a shared drive or internal repository for team use.
  Filter/Exclusion: Exclude files uploaded by a known internal distribution tool (e.g., Intune, Microsoft Endpoint Manager) or use a file path filter (e.g., file_path: \\fileserver\software\*).

• Scenario: EDR scan detecting benign executable in a sandboxed environment
  Description: An EDR tool scans a sandboxed environment and detects an executable file (e.g., a test binary) as part of its analysis, which may be flagged as an attachment.
  Filter/Exclusion: Exclude files detected by a known sandboxing tool (e.g.,