Detects a possible .eml used in the Ukraine BE power attack

Hunt Hypothesis

Adversaries may use .eml files to exfiltrate data or execute malicious payloads, mimicking legitimate email traffic. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential indicators of compromise linked to advanced persistent threats.

YARA Rule

rule email_Ukraine_power_attack_content : mail {
	meta:
		author = "@mmorenog,@yararules"
		description = "Detects a possible .eml used in the Ukraine BE power attack"
		ref1 = "https://twitter.com/lowcalspam/status/692625258394726400"
		
	strings:
		$subject = "=?windows-1251?B?0+rg5yDP8OXn6OTl7fLgINPq8OC/7egguSAx?=" 
		$body_string1 = "=E5=E7=E8=E4=E5=ED=F2=E0 =D3=EA=F0=E0=BF=ED=E8 =F2=E0 =EF=EE=F0=FF=E4=EE=EA="
		$body_string2 = "=B3 =C7=E1=F0=EE=E9=ED=E8=F5 =D1=E8=EB =D3=EA=F0=E0=BF=ED=E8 =F2=E0=20"
		$body_string3 = "=E1=B3=F2=ED=E8=EA=B3=E2 =EE=F0=E3=E0=ED=B3=E7=E0=F6=B3=E9 =E7=E0 =E7=F0=E0="
		$body_string4 = "http://176.53.127.194/bWFpbF9rYW5jQG9lLmlmLnVh.png"
		$body_string5 = "=C2=B3=E4=EF=EE=E2=B3=E4=ED=EE =E4=EE =D3=EA=E0=E7=F3 =CF=F0=E5=E7=E8=E4=E5="
	condition:
		3 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System backup job exporting email archives
  Description: A scheduled backup job runs nightly and exports .eml files from an email archive to a shared storage location.
  Filter/Exclusion: Exclude files generated by the Veeam Backup & Replication tool during scheduled backups, using the file.name field to match known backup job patterns.

• Scenario: Email archiving tool processing inbound emails
  Description: An email archiving solution like Mimecast or Microsoft Exchange Online Archiving processes .eml files as part of its normal operation.
  Filter/Exclusion: Exclude files associated with the Microsoft Exchange service or Mimecast using the process.name or file.path fields.

• Scenario: Administrator reviewing email content for compliance
  Description: An admin uses a tool like Microsoft Outlook or Thunderbird to manually review .eml files for compliance or auditing purposes.
  Filter/Exclusion: Exclude processes related to Outlook or Thunderbird using the process.name field, or filter by user account if the admin has a known username.

• Scenario: Scheduled email export from a legacy email system
  Description: A legacy email system like Lotus Notes or GroupWise runs a scheduled job to export .eml files to a file server.
  Filter/Exclusion: Exclude files generated by Lotus Notes or GroupWise using the process.name or file.path fields, or by checking the source IP or user context.

• Scenario: Email migration tool converting emails to .eml format
  Description: An email migration tool like Microsoft Hybrid Migration or Migrate to Office 365 converts emails to .eml format during migration