DECNET/rules/ttp/R0046.yaml

rule_id: R0046
rule_version: 1
name: malicious_attachment
description: |
  Macro-bearing Office doc, .lnk, .iso/.img, password-protected
  archive, or HTML-smuggling pattern. Lifter inspects the
  attachment table (file_type + ole_macros + maldoc verdict).
applies_to:
  - email
match:
  kind: lifter:email_malicious_attachment
  triggers:
    - office_macro
    - lnk
    - iso
    - img
    - protected_archive
    - html_smuggling
    - mal_hash_match
emits:
  - tactic: TA0002
    technique_id: T1204
    sub_technique_id: T1204.002
    confidence: 0.9
  - tactic: TA0001
    technique_id: T1566
    sub_technique_id: T1566.001
    confidence: 0.9
evidence_fields:
  - filename
  - mime_type
  - matched_trigger
  - file_hash