Attachment: EML file contains HTML attachment with login portal indicators

name: "Attachment: EML file contains HTML attachment with login portal indicators"
description: |
  Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.
type: "rule"
severity: "high"
source: |
  type.inbound
  
  // exclude bounce backs & read receipts
  and not strings.like(sender.email.local_part,
                       "*postmaster*",
                       "*mailer-daemon*",
                       "*administrator*"
  )
  and not regex.imatch(subject.subject, "(undeliverable|read:).*")
  and not any(attachments, .content_type == "message/delivery-status")
  
  // if the "References" is in the body of the message, it's probably a bounce
  and not any(headers.references, strings.contains(body.html.display_text, .))
  and (
    (length(headers.references) == 0 and headers.in_reply_to is null)
    or (
      not strings.istarts_with(subject.subject, "re:")
      and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
      and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to"))
    )
  )
  and any(attachments,
          (.content_type == "message/rfc822" or .file_extension in ('eml'))
          and any(file.explode(.),
                  // suspicious strings found in javascript
                  length(filter(.scan.javascript.strings,
                                strings.ilike(.,
                                              "*username*",
                                              "*login-form*",
                                              "*email-form*",
                                              "*Incorrect password. Please try again.*",
                                              "*Password Incomplete, please try again*"
                                )
                         )
                  ) >= 3
                  or (
  
                    // suspicious strings found outside of javascript, but binexplode'd file still of HTML type
                    .flavors.mime in~ ("text/html", "text/plain")
                    and 3 of (
                      any(.scan.strings.strings, strings.ilike(., "*username*")),
                      any(.scan.strings.strings, strings.ilike(., "*login-form*")),
                      any(.scan.strings.strings, strings.ilike(., "*email-form*")),
                      any(.scan.strings.strings,
                          strings.ilike(.,
                                        "*Incorrect password. Please try again.*"
                          )
                      ),
                      any(.scan.strings.strings,
                          strings.ilike(.,
                                        "*Password Incomplete, please try again*"
                          )
                      )
                    )
                  )
                  or 
  
                  // Known phishing obfuscation
                  2 of (
                    // Enter password
                    any(.scan.strings.strings,
                        strings.ilike(.,
                                      "*Enter passwor&#100*"
                        )
                    ),
                    // Forgotten my password
                    any(.scan.strings.strings,
                        strings.ilike(.,
                                      "*Forgotten my passwor&#100*"
                        )
                    ),
                    // Sign in
                    any(.scan.strings.strings,
                        strings.ilike(.,
                                      "*Sign i&#110*"
                        )
                    )
                  )
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "HTML smuggling"
detection_methods:
  - "Content analysis"
  - "File analysis"
  - "Header analysis"
  - "HTML analysis"
  - "Javascript analysis"
  - "Sender analysis"
id: "6e4df158-6498-572b-9448-a343c531e5f9"