[PR #3472] added rule: Attachment: DOCX with hyperlink targeting recipient address

Author: github-actions[bot]

detection-rules/3472_attachment_docx_hyperlink_targeting_recipient.yml

@@ -0,0 +1,43 @@
+name: "Attachment: DOCX with hyperlink targeting recipient address"
+description: "Detects DOCX attachments containing hyperlinks with anchor references that match recipient email addresses from suspicious or malicious senders. This technique is commonly used to personalize malicious documents and evade detection."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_extension == 'docx'),
+          any(filter(file.explode(.), .file_name == 'word/document.xml'),
+                  any(regex.iextract(.scan.strings.raw,
+                                     '<w:hyperlink[^\>]*w:anchor="(?P<email_address>[^\"]+)"'
+                      ),
+                      .named_groups["email_address"] in map(recipients.to,
+                                                            .email.email
+                      )
+                  )
+          )
+  )
+  and (
+    (
+      profile.by_sender().prevalence in ("new", "outlier")
+      and not profile.by_sender().solicited
+    )
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_messages_benign
+    )
+  )
+
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Archive analysis"
+  - "XML analysis"
+  - "Sender analysis"
+id: "d2ff2c1e-2994-5ca2-8bf3-508213e11364"
+og_id: "9ec8fa49-bda9-5e8f-876f-1e53a46d83ca"
+testing_pr: 3472
+testing_sha: abd489f7280be8b30f9cfcc0ef3d015749ce8fd3