← Back to Explore
sublimehighRule
HTML smuggling with atob in message body
Detects if the email body HTML contains the document write or insertAdjacentHTML method and atob function call. This technique has been observed leading to credential phishing.
Detection Query
type.inbound
and (length(body.plain.raw) < 200 or body.plain.raw is null)
and regex.icontains(body.html.raw,
"document.{0,10}(write|insertAdjacentHTML).{0,10}atob"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "HTML smuggling with atob in message body"
description: |
Detects if the email body HTML contains the document write or insertAdjacentHTML method and atob function call.
This technique has been observed leading to credential phishing.
type: "rule"
severity: "high"
source: |
type.inbound
and (length(body.plain.raw) < 200 or body.plain.raw is null)
and regex.icontains(body.html.raw,
"document.{0,10}(write|insertAdjacentHTML).{0,10}atob"
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "HTML smuggling"
detection_methods:
- "Content analysis"
- "HTML analysis"
id: "0f86851f-3ec4-50b6-ba1a-cba096642d0e"