The hypothesis is that the absence of attachments in email communications may indicate an adversary attempting to bypass traditional attachment-based detection mechanisms. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and uncover hidden malicious payloads that may be embedded in other message components.
YARA Rule
rule without_attachments : mail {
meta:
author = "Antonio Sanchez <[email protected]>"
reference = "http://laboratorio.blogs.hispasec.com/"
description = "Rule to detect the no presence of any attachment"
strings:
$eml_01 = "From:"
$eml_02 = "To:"
$eml_03 = "Subject:"
$attachment_id = "X-Attachment-Id"
$mime_type = "Content-Type: multipart/mixed"
condition:
all of ( $eml_* ) and
not $attachment_id and
not $mime_type
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled backup job exporting files without attachments
Description: A scheduled backup job using Veeam Backup & Replication or Commvault may export files in a format that lacks attachments, such as exporting to a ZIP file without embedded content.
Filter/Exclusion: Exclude traffic from known backup services or IP ranges associated with backup tools (e.g., src_ip IN (backup_server_ip_list)).
Scenario: System logs or audit logs being sent as plain text
Description: Log management tools like Splunk or ELK Stack may send logs in plain text format without attachments, which could trigger the rule if the system is misconfigured.
Filter/Exclusion: Exclude traffic from log management systems using specific source ports or application names (e.g., app_name = "Splunk" OR app_name = "ELK").
Scenario: Email notifications sent by a ticketing system without attachments
Description: A system like ServiceNow or Zendesk may send automated email notifications without attachments, which could be flagged by the rule.
Filter/Exclusion: Exclude emails from known ticketing systems using sender email patterns (e.g., from_email CONTAINS "@servicenow.com" OR from_email CONTAINS "@zendesk.com").
Scenario: Automated report generation without attachments
Description: A reporting tool like Tableau or Power BI may generate reports and send them as plain text or HTML emails without attachments.
Filter/Exclusion: Exclude emails from reporting tools using specific subject lines or sender domains (e.g., subject CONTAINS "Report" AND from_domain = "tableau.com").
Scenario: User-generated content without attachments in a collaboration tool
Description: In a tool like Microsoft Teams or **Slack