Malicious email attachments feed
The primary purpose of the Malicious email attachments feed is to protect users and organizations from potential threats posed by email attachments. Malicious email attachments are files sent via email with the intent to compromise or damage the recipient's computer system or exfiltrate sensitive information. These harmful payloads often masquerade as seemingly innocuous items, such as documents, PDFs, images, or audio files. When unsuspecting users open these attachments, they inadvertently unleash malware, such as ransomware, spyware, and trojans. The attachments often mimic legitimate communications from reputable sources, increasing the likelihood of users opening them. The feed is updated frequently to keep pace with emerging threats and is created from ESET telemetry sources focused on email scanning (on both the client and server sides) in near real time.
ESET ensures compatibility through using standards like TAXII 2.1 and STIX 2.1, which make the ESET threat intelligence data easily consumable across various TIP, XDR/EDR, SIEM, SOAR, and firewalls. Each of these feeds is created in near real time, and deduplication happens every 24 hours.
Malicious email attachments feed mainly utilizes the following STIX 2.1 SDO, SRO and SCO objects and related metadata:
Example data is directly available inside the ESET Threat Intelligence portal. To use the portal without the license in Demo mode, follow the steps in the Get started guide to create an account. Additionally, see the Demo mode topic.
ESET STIX 2.1 SDO Names and Labels
Indicator
•Name: "Malware variant"—file has shown malicious activity—High severity threat, High confidence
•Label: "malicious-activity"
Malware
•Name: name of the detection
•Labels:
o"trojan"
o"worm"
o"virus"
o"dropper"
o"adware"
o"rogue security software"
o"ransomware"
o"keylogger"
o"rootkit"
o"ddos"
o"bot"
o"spyware"