← Back to Explore
sublimehighRule
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
Potential HTML Smuggling. This rule inspects HTML attachments that contain "body unload", high entropy, and suspicious text.
Detection Query
type.inbound
and any(attachments,
(
.file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
)
or .file_extension in~ $file_extensions_common_archives
or .file_type == "html"
or .content_type == "text/html"
)
and any(file.explode(.),
.scan.entropy.entropy >= 5
and any(.scan.strings.strings,
strings.ilike(., "*body onload*")
)
and any(.scan.strings.strings,
regex.icontains(., 'data:image/.*;base64')
)
and any(.scan.strings.strings,
strings.ilike(., "*document pass*")
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: HTML smuggling 'body onload' with high entropy and suspicious text"
description: |
Potential HTML Smuggling. This rule inspects HTML attachments that contain "body unload", high entropy, and suspicious text.
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
)
or .file_extension in~ $file_extensions_common_archives
or .file_type == "html"
or .content_type == "text/html"
)
and any(file.explode(.),
.scan.entropy.entropy >= 5
and any(.scan.strings.strings,
strings.ilike(., "*body onload*")
)
and any(.scan.strings.strings,
regex.icontains(., 'data:image/.*;base64')
)
and any(.scan.strings.strings,
strings.ilike(., "*document pass*")
)
)
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "HTML smuggling"
- "Scripting"
detection_methods:
- "Archive analysis"
- "Content analysis"
- "File analysis"
- "HTML analysis"
id: "329ac12d-f74e-577c-936c-1db80ccf860e"