sublimehighRule

Attachment: HTML smuggling with eval and atob via calendar invite

Scans calendar invites (.ics files) to detect HTML smuggling techniques.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1204.002 T1486 T1036 T1027 T1059

defense-evasionexecution

Detection Query

type.inbound
and any(attachments,
        (.file_extension =~ "ics" or .content_type == "text/calendar")
        // usage: onerror="eval(atob('
        and regex.imatch(file.parse_text(.).text, ".*eval.{1,4}atob.*")
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: HTML smuggling with eval and atob via calendar invite"
description: "Scans calendar invites (.ics files) to detect HTML smuggling techniques."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          (.file_extension =~ "ics" or .content_type == "text/calendar")
          // usage: onerror="eval(atob('
          and regex.imatch(file.parse_text(.).text, ".*eval.{1,4}atob.*")
  )
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "HTML smuggling"
  - "Scripting"
detection_methods:
  - "File analysis"
  - "HTML analysis"
  - "Javascript analysis"
id: "597c2edd-ff97-5ef6-bcf4-8957011edd9c"