Attachment: HTML smuggling with atob and high entropy

name: "Attachment: HTML smuggling with atob and high entropy"
description: |
  Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.
references:
  - "https://delivr.to/payloads?id=7dbf0d83-1557-4345-bf67-d18c4256b0c1"
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          (
            .file_extension in~ ("html", "htm", "shtml", "dhtml", "eml")
            or .file_extension in~ $file_extensions_common_archives
            or .file_type == "html"
            or .content_type == "message/rfc822"
            or .file_extension in ('eml')
          )
          and any(file.explode(.),
                  .scan.entropy.entropy >= 5
                  and (
                    length(filter(.scan.javascript.identifiers,
                                  strings.like(., "document", "write", "atob")
                           )
                    ) == 3
                    // usage: document['write'](atob)
                    or any(.scan.strings.strings,
                           regex.icontains(., "document.{0,10}write.{0,10}atob")
                    )
                    // usage: some_var = atob();
                    or any(.scan.strings.strings,
                           regex.icontains(., "=.?atob.*;")
                    )
                    // usage: atob(atob
                    or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
                    // usage: {src: atob
                    or any(.scan.strings.strings,
                           strings.ilike(., "*{src: atob*")
                    )
                    // usage: eval(atob)
                    or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
                    // usage: atob(_0x)
                    or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
                    // usage : 'at'+'ob'
                    or any(.scan.strings.strings, strings.ilike(., "*'at'+'ob'*"))
                    // usage: obfuscating "atob"
                    or any(.scan.javascript.identifiers,
                           strings.ilike(., '*ato\u0062*')
                    )
                    // usage: document.head.insertAdjacentHTML("beforeend", atob(...
                    or any(.scan.strings.strings,
                           strings.ilike(., "*document*insertAdjacentHTML*atob*")
                    )
                  )
          )
  )
  // negate bouncebacks and undeliverables
  and not any(attachments,
              .content_type in (
                "message/global-delivery-status",
                "message/delivery-status"
              )
  )
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "HTML smuggling"
  - "Scripting"
detection_methods:
  - "Archive analysis"
  - "Content analysis"
  - "File analysis"
  - "HTML analysis"
  - "Javascript analysis"
  - "Sender analysis"
  - "URL analysis"
id: "03fcac11-ffc9-5a9c-9e1e-c866e683b48e"