I received a spam with score -1. Well written, looks legit commercial, asking for a quotation, with details in the attachment, a 3MB file with unknown extension ".one".
The file turns out to be a Windows Trojan:
https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b
Both SA and ClamAV passed it as legit.
We should have a SA rule that says: "attached file with unknown data type".
The file turns out to be a Windows Trojan:
https://www.virustotal.com/gui/file/f4d587f60f2d34add9f77fcbd8c3c0df3ca51cfaecd9de85c45d25647eaac40b
Both SA and ClamAV passed it as legit.
We should have a SA rule that says: "attached file with unknown data type".