On a recent engagement, I took a different approach to finding possible malicious files entering the customer's network. Rather than focusing on the e-mail, I looked for any RAR, macro-enabled office documents, and portable executable files (PE) entering the network where no service was specified. Of course, this was done using RSA NetWitness and immediately I found a RAR file which contained a malicious executable. Although, this was a different vector by which it entered the network. It didn't appear to be a link that someone clicked from an e-mail and it wasn't an attachment from an email either. It was from a customer configured, cloud based support site. You can find many customers who use these types of sites.
So here's how I believe this was attempted. A malicious actor goes to the . .com site where they open a support ticket for an order they placed. (Of course they probably didn't place an actual order) Then using the support interface, they upload what appears to be an order list. In this instance I found the file name was "OrderList_Xlsx.arj" which is a RAR file and inside was a file called "OrderList.exe" all of which was downloaded by the customer support representative using their admin console to the site.
I created a quick and easy search to find this type of activity.
alias.host = ' . .com' && (filetype = 'rar' || filetype = 'windows executable' || ((filetype = 'zip' || filetype contains 'office') && filename contains 'vbaproject.bin') || extension contains 'docm','xlsm','pptm' || content contains 'macro')