Scenarios Examples

By the end of 2024, threat actors began employing a new technique to deliver phishing attacks using handcrafted Office files. The legitimate document content is preceded by specifically crafted data, which disrupts format detection mechanisms. Surprisingly, Microsoft Office, when opening such a file based on its extension, offers to recover the data. It scans for a valid header and opens the Office content embedded within the manipulated file.

According to our research, existing protections offered by major vendors are ineffective, and it remains relatively easy to create files that evade detection. Here, we demonstrate how to create a scenario in Contextal Platform to block all attacks of this type!

According to recent research, newly registered domain names used in phishing attacks remain one of the biggest threats to internet users. The study found that domain names used in phishing attacks have an average lifetime of 21 days, with the majority being used within 4 days of registration.

We will create a scenario that detects and blocks Office, ODF, and PDF documents containing links to domain names registered less than 30 days ago.

In this example, we demonstrate how to detect and block obfuscated JavaScript within Email objects (and their child objects). This technique can also be adapted to any other data type that might contain JavaScript.

The Text backend makes use of machine learning to identify common scripting languages, such as JavaScript. By combining this detection with a common characteristic of malicious scripts—obfuscation into one-liners—we can build an effective filter. Here's how:

The Windows shortcut (LNK) files are frequently used for malicious purposes by threat actors. In this article we are going to cover an example scenario, which takes a couple of characteristics into account to block potentially malicious shortcut files.

Contextal Platform's image processor includes capability to detect NSFW graphical content. We will create a scenario triggering an alert action when such images are detected in the data flow.

A Client-Side Path Traversal (CSPT) attack, also known as "On-Site Request Forgery" is a vulnerability, which can be used for CSRF or XSS attacks.

A Carriage Return Line Feed (CRLF) Injection is a type of web security vulnerability where an attacker manipulates how web applications interpret input containing carriage return (\r) and line feed (\n) characters.

The malicious directory traversal has been exploited for years by threat actors, taking different forms, such as Zip Slip.

Excel 4.0 macros (also known as XLM macros) are frequently used for malicious purposes, and while Microsoft now by default limits their usage, they could still pose a threat in some environments.

False positives are a common challenge in cybersecurity. Often, some detections are too generic and when broadly applied, could have a tendency to block more things than necessary. Users are sometimes forced to disable entire detections to avoid these issues - but with Contextal Platform, you can handle these cases with precision, see how!