sublimemediumRule

Attachment: Any HTML file within archive (unsolicited)

Recursively scans archives to detect HTML files from unsolicited senders. HTML files can be used for HTML smuggling and embedded in archives to evade detection.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1204.002 T1486 T1036 T1027

defense-evasion

Detection Query

type.inbound
and any(attachments,
        .file_extension in~ $file_extensions_common_archives
        and any(file.explode(.),
                .depth > 0 and .file_extension in~ ("html", "htm")
        )
)
and (
  not profile.by_sender().solicited
  or (profile.by_sender().any_messages_malicious_or_spam)
)
and not profile.by_sender().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://twitter.com/executemalware/status/1537569201577156611

Tags

Attack surface reduction

Raw Content

name: "Attachment: Any HTML file within archive (unsolicited)"
description: |
  Recursively scans archives to detect HTML files from unsolicited senders. 

  HTML files can be used for HTML smuggling and embedded in archives to evade detection.
references:
  - "https://twitter.com/executemalware/status/1537569201577156611"
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(attachments,
          .file_extension in~ $file_extensions_common_archives
          and any(file.explode(.),
                  .depth > 0 and .file_extension in~ ("html", "htm")
          )
  )
  and (
    not profile.by_sender().solicited
    or (profile.by_sender().any_messages_malicious_or_spam)
  )
  and not profile.by_sender().any_messages_benign
tags:
  - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "HTML smuggling"
detection_methods:
  - "Archive analysis"
  - "File analysis"
id: "6a67c02c-d405-531e-850a-1722849c5fe4"