sublimehighRule

Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts

Detects messages with HTML attachments containing multiple 'const' declarations while excluding legitimate Gmail messages. This is evidence of potential code injection or obfuscation techniques.

MITRE ATT&CK

T1566.001 T1204.002 T1486 T1566 T1566.002 T1598 T1059 T1036 T1027

executiondefense-evasion

Detection Query

type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_type == "html"
        )
        and strings.count(file.parse_html(.).raw, 'const') >= 7
        and not regex.contains(file.parse_html(.).raw,
                               "<!-- saved from url=.{0,7}https://mail.google.com/mail/u/0/#inbox/"
        )
        and length(file.parse_html(.).raw) < 50000
        // long timeouts
        and regex.icontains(file.parse_html(.).raw,
                            'setTimeout\(\s*(?:function\s*)?\(.*?\)\s*(?:=>\s*)?\{[\s\S]*?\},\s*\d+\);',
                            // const delay = new Promise((resolve) => setTimeout(resolve, 100));
                            'setTimeout\(\s*\w+\,\s*\d{3,}\)+;'
        )
)

// negate highly trusted sender domains unless they fail DMARC authentication or DMARC is missing
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts"
description: "Detects messages with HTML attachments containing multiple 'const' declarations while excluding legitimate Gmail messages. This is evidence of potential code injection or obfuscation techniques."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          (
            .file_extension in~ ("html", "htm", "shtml", "dhtml")
            or .file_type == "html"
          )
          and strings.count(file.parse_html(.).raw, 'const') >= 7
          and not regex.contains(file.parse_html(.).raw,
                                 "<!-- saved from url=.{0,7}https://mail.google.com/mail/u/0/#inbox/"
          )
          and length(file.parse_html(.).raw) < 50000
          // long timeouts
          and regex.icontains(file.parse_html(.).raw,
                              'setTimeout\(\s*(?:function\s*)?\(.*?\)\s*(?:=>\s*)?\{[\s\S]*?\},\s*\d+\);',
                              // const delay = new Promise((resolve) => setTimeout(resolve, 100));
                              'setTimeout\(\s*\w+\,\s*\d{3,}\)+;'
          )
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication or DMARC is missing
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
attack_types:
  - "Malware/Ransomware"
  - "Credential Phishing"
tactics_and_techniques:
  - "HTML smuggling"
  - "Scripting"
  - "Evasion"
detection_methods:
  - "HTML analysis"
  - "File analysis"
  - "Content analysis"
id: "66f8a07a-5f0f-5a99-976c-a81d2de8b406"