esackbauer Its not only for macros but also - and that is important! - for embedded files in office documents. OLE means “object linking and embedding”. So a malicious picture, URL or PDF embedded in an office document.
You’re right, I didn’t differentiate clearly enough between the possibilities of oletools and the way rspamd uses it, as described here:
For the default mode, it says:
“Oletools is an excellent Python module for scanning and analyzing office documents containing macros. Macro-viruses typically use an auto-exec function to load when the document is opened, as well as functions for executing code in a shell or saving files to the system. Oletools classifies harmful functions as either AutoExec or Suspicious. In the default mode, the Oletools module sets the result when at least one AutoExec and one Suspicious function are used.”
And for extended mode (used by mailcow):
“In extended mode, the oletools module does not trigger on specific categories but always sets a threat string with all the found flags whenever a macro is detected.”
The flags all seem to be macro-related.
So if I see this correctly, rspamd (and therefore mailcow) uses oletools via olefy only to look for macros.