Attachment: HTML smuggling with base64 encoded ZIP file

name: "Attachment: HTML smuggling with base64 encoded ZIP file"
description: "Detects HTML attachments containing base64-encoded ZIP or Office files alongside JavaScript decoding functions such as atob, fromCharCode, or base64. This technique is commonly used to evade security controls by hiding malicious files within HTML content that are decoded and executed client-side."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(attachments,
          (
            .file_extension in~ ("html", "htm", "shtml", "dhtml")
            or .file_type == "html"
          )
          and (
            // javascript functions to decode the base64
            strings.icontains(file.parse_text(.).text, 'atob')
            or strings.icontains(file.parse_text(.).text, 'fromCharCode')
            or strings.icontains(file.parse_text(.).text, 'base64')
          )
          // Magic bytes for a ZIP/Office File that have been base64 encoded
          and regex.contains(file.parse_text(.).text,
                             '[\x2C\x3B\x3A\x22\x27\x28\x7B\x5B\s]UEsDB'
          )
          // negation of Micro Focus Voltage Secure Messaging
          and not strings.contains(file.parse_text(.).text,
                                   "<input type=\"hidden\" name=\"ZFRdata\" value=\"\n-----BEGIN VOLTAGE SECURE BLOCK V3-----\nUEsDBBQAAAAAAAAAAA"
          )
  )

tags:
 - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "HTML smuggling"
  - "Scripting"
detection_methods:
  - "Archive analysis"
  - "Content analysis"
  - "File analysis"
  - "HTML analysis"
  - "Javascript analysis"
id: "47e388de-08f8-5261-8571-99dbf73a352d"