Hi,

I have noticed this behavior with malicious documents to retrieve the next stage payload using the 'HEAD' and 'OPTIONS' http methods, with very short URLs, and in some cases shortened URLs, including the Ammyy RAT rule sent earlier. Admittedly, the rules maybe prone to FPs. A larger scale testing would be nice. Pcaps are available.

# --------------------
# Date: 2018-05-16
# Title: Unexpected Office Network Traffic
# Reference: https://www.virustotal.com/#/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/detection, app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df
# Tests: pcap

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office user-agent in HTTP request to shortened URL"; flow:to_server,established; urilen:<10; content:"OPTIONS"; http_method; content:"User-Agent: Microsoft Office "; fast_pattern:only; http_header; content:!"Accept"; http_header; pcre:"/User-Agent\x3a\sMicrosoft\sOffice\s(Protocol|Existence)\sDiscovery\x0d\x0a/H"; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/detection; reference:url,app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df; classtype:misc-activity; sid:8000055; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office user-agent in HTTP request to shortened URL"; flow:to_server,established; urilen:<10; content:"HEAD"; http_method; content:"User-Agent: Microsoft Office "; fast_pattern:only; http_header; content:!"Accept"; http_header; content:!"Content-"; http_header; pcre:"/User-Agent\x3a\sMicrosoft\sOffice\s(Protocol|Existence)\sDiscovery\x0d\x0a/H"; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/detection; reference:url,app.any.run/tasks/7375d12e-12f5-43e7-a868-ae1fb968e6df; classtype:misc-activity; sid:8000056; rev:2;)

Thanks.
YM