rule M_Hunting_VPNEngine_OOXML_Target_1 {
	meta:
		description = "Detects an external relationship link in an OOXML with a VPN or proxy domain."
		author = "Mandiant"
	strings:
		$relationship_external = /TargetMode=[\"\']External[\"\']/ ascii wide nocase
		$anchor = "<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\">"
		$s1 = " Target=" ascii nocase
		$s2 = " TargetMode=" ascii nocase
		$s3 = " Type=" ascii nocase
		$s4 = " Id=" ascii nocase
		$re = /Target=[\"\'][^\"\']{0,100}(vpn|proxy).{0,100}/ ascii nocase
	condition:
		(filesize < 10KB) and $anchor and $relationship_external and (1 of ($s*)) and $re
}