Attachment: HTML smuggling with base64 encoded JavaScript function

name: "Attachment: HTML smuggling with base64 encoded JavaScript function"
description: |
  This rule identifies attachments that either have an HTML extension, lack any file extension, or possess an unrecognized file type
  and are employing Base64 encoding to conceal JavaScript functions within HTML script tags with little to no other content. 
  Such obfuscation tactics have been frequently observed in credential phishing campaigns.
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          (
            .file_extension in~ ("html", "htm", "shtml", "dhtml")
            or (
              .file_extension is null
              and .file_type == "unknown"
              and .content_type == "application/octet-stream"
              and .size < 100000000
            )
            or .file_extension in~ $file_extensions_common_archives
            or .file_type == "html"
          )
          and any(file.explode(.),
                  any(.scan.strings.strings,
                      strings.contains(., "data:text/javascript;base64")
                  )
                  // strings array is small
                  and length(.scan.strings.strings) < 10
          )
  )
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "HTML smuggling"
  - "Scripting"
detection_methods:
  - "Archive analysis"
  - "Content analysis"
  - "File analysis"
  - "HTML analysis"
  - "Javascript analysis"
id: "4e8a12ec-3dda-5f4e-8646-f147039662d1"