← Back to Explore
sublimehighRule
Attachment: HTML file with reference to recipient and suspicious patterns
Attached HTML file (or HTML file within an attached email) contains references to the recipients email address, indicative of credential phishing, and suspicious Javascript patterns.
Detection Query
type.inbound
and any(attachments,
(
.content_type == "text/html"
or (.content_type == "message/rfc822" or .file_extension in ('eml'))
or .file_extension in~ ("html", "htm", "shtml", "dhtml")
or .file_type == "html"
)
and any(file.explode(.),
.flavors.mime in~ ("text/html", "text/plain")
and any(recipients.to,
any(..scan.strings.strings,
strings.icontains(., ..email.email)
)
and (
.email.domain.valid
or strings.icontains(.display_name, "undisclosed")
)
)
)
and any(file.explode(.),
(
any(.flavors.yara, . == "javascript_file")
// common indicator of HTML smuggling
and length(filter(.scan.javascript.identifiers,
strings.ilike(., "_0x*")
)
) > 50
)
or (
// javascript that doesn't get pulled out properly
.flavors.mime == "text/plain"
and strings.ilike(.file_name, "script*")
// common indicator of HTML smuggling
and length(filter(.scan.strings.strings,
regex.imatch(., ".*_0x.*")
)
) > 50
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: HTML file with reference to recipient and suspicious patterns"
description: |
Attached HTML file (or HTML file within an attached email) contains references to the recipients email address, indicative of credential phishing, and suspicious Javascript patterns.
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.content_type == "text/html"
or (.content_type == "message/rfc822" or .file_extension in ('eml'))
or .file_extension in~ ("html", "htm", "shtml", "dhtml")
or .file_type == "html"
)
and any(file.explode(.),
.flavors.mime in~ ("text/html", "text/plain")
and any(recipients.to,
any(..scan.strings.strings,
strings.icontains(., ..email.email)
)
and (
.email.domain.valid
or strings.icontains(.display_name, "undisclosed")
)
)
)
and any(file.explode(.),
(
any(.flavors.yara, . == "javascript_file")
// common indicator of HTML smuggling
and length(filter(.scan.javascript.identifiers,
strings.ilike(., "_0x*")
)
) > 50
)
or (
// javascript that doesn't get pulled out properly
.flavors.mime == "text/plain"
and strings.ilike(.file_name, "script*")
// common indicator of HTML smuggling
and length(filter(.scan.strings.strings,
regex.imatch(., ".*_0x.*")
)
) > 50
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "HTML smuggling"
- "Scripting"
detection_methods:
- "Content analysis"
- "File analysis"
- "HTML analysis"
- "Javascript analysis"
- "YARA"
id: "5333493d-48a8-532d-a621-d278a59bbf9b"