Merge PR #5538 from @swachchhanda000 - feat: potential spear-phishing through svg files

new: Suspicious File Created in Outlook Temporary Directory remove: .RDP File Created by Outlook Process - deprecate in favour of fabb0e80-030c-4e3e-a104-d09676991ac3 update: Suspicious Double Extension Files - add .svg extension --------- Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
2025-07-29 14:15:55 +05:45
parent 7a6c451d6d
commit f54972108f
3 changed files with 50 additions and 3 deletions
@@ -3,7 +3,7 @@ id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
 related:
    - id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
      type: derived
-status: experimental
+status: deprecated
 description: |
    Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments.
    This can be used to detect spear-phishing campaigns that use RDP files as attachments.
@@ -13,7 +13,7 @@ references:
    - https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29
 author: Florian Roth
 date: 2024-11-01
-modified: 2024-11-03
+modified: 2025-07-22
 tags:
    - attack.defense-evasion
 logsource:
@@ -0,0 +1,43 @@
+title: Suspicious File Created in Outlook Temporary Directory
+id: fabb0e80-030c-4e3e-a104-d09676991ac3
+related:
+    - id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
+      type: obsolete
+status: experimental
+description: |
+    Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
+    This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
+references:
+    - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
+    - https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
+    - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
+author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-07-22
+tags:
+    - attack.initial-access
+    - attack.t1566.001
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection_extension:
+        TargetFilename|endswith:
+            - '.cpl'
+            - '.hta'
+            - '.iso'
+            - '.rdp'
+            - '.svg'
+            - '.vba'
+            - '.vbe'
+            - '.vbs'
+    selection_location:
+        - TargetFilename|contains:
+              - '\AppData\Local\Packages\Microsoft.Outlook_'
+              - '\AppData\Local\Microsoft\Olk\Attachments\'
+        - TargetFilename|contains|all:
+              - '\AppData\Local\Microsoft\Windows\'
+              - '\Content.Outlook\'
+    condition: all of selection_*
+falsepositives:
+    - Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
+level: high
@@ -14,9 +14,10 @@ references:
    - https://twitter.com/malwrhunterteam/status/1235135745611960321
    - https://twitter.com/luc4m/status/1073181154126254080
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
+    - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
 author: Nasreddine Bencherchali (Nextron Systems), frack113
 date: 2022-06-19
-modified: 2025-05-30
+modified: 2025-07-22
 tags:
    - attack.defense-evasion
    - attack.t1036.007
@@ -29,6 +30,7 @@ detection:
            - '.exe'
            - '.iso'
            - '.rar'
+            - '.svg'
            - '.zip'
            # - '.lnk'  # legitimate links can happen just anywhere
        TargetFilename|contains:
@@ -43,7 +45,9 @@ detection:
            - '.png.'
            - '.ppt.'
            - '.pptx.'
+            - '.rtf.'
            - '.svg.'
+            - '.txt.'
            - '.xls.'
            - '.xlsx.'
    selection_exe: