EXPLORE
Sign In
← Back to Explore
sublimehighRule

Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment

RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasion

Detection Query

type.inbound

// RFP/RFQ language
and 1 of (
  regex.icontains(body.current_thread.text, '(discuss.{0,15}purchas(e|ing))'),
  regex.icontains(body.current_thread.text,
                  '(sign(ed?)|view).{0,10}(purchase order)|Request for a Quot(e|ation)'
  ),
  regex.icontains(body.current_thread.text, '(please|kindly).{0,30}quote'),
  regex.icontains(subject.subject,
                  '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
  ),
  any(attachments,
      regex.icontains(.file_name, "(purchase.?order|Quot(e|ation))")
  ),
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
  and any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "urgency"
  ),
  any(ml.nlu_classifier(body.current_thread.text).tags,
      .name == "purchase_order" and .confidence == "high"
  )
)

// HTML smuggling
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_extension in~ $file_extensions_common_archives
          or .file_type == "html"
        )
        and any(file.explode(.),
                (
                  length(filter(.scan.javascript.identifiers,
                                strings.like(., "document", "write", "atob")
                         )
                  ) == 3
                  // usage: document['write'](atob)
                  or any(.scan.strings.strings,
                         strings.ilike(., "*document*write*atob*")
                  )
                  // usage: some_var = atob();
                  or any(.scan.strings.strings, strings.ilike(., "*=*atob*;"))
                  // usage: obfuscating "atob"
                  or any(.scan.javascript.identifiers,
                         strings.ilike(., '*ato\u0062*')
                  )
                  // usage: document.head.insertAdjacentHTML("beforeend", atob(...
                  or any(.scan.strings.strings,
                         strings.ilike(.,
                                       "*document*write*atob*",
                                       "*document*insertAdjacentHTML*atob*"
                         )
                  )
                )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment"
description: |
  RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations.
  These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.
type: "rule"
severity: "high"
source: |
  type.inbound
  
  // RFP/RFQ language
  and 1 of (
    regex.icontains(body.current_thread.text, '(discuss.{0,15}purchas(e|ing))'),
    regex.icontains(body.current_thread.text,
                    '(sign(ed?)|view).{0,10}(purchase order)|Request for a Quot(e|ation)'
    ),
    regex.icontains(body.current_thread.text, '(please|kindly).{0,30}quote'),
    regex.icontains(subject.subject,
                    '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
    ),
    any(attachments,
        regex.icontains(.file_name, "(purchase.?order|Quot(e|ation))")
    ),
    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
    and any(ml.nlu_classifier(body.current_thread.text).entities,
            .name == "urgency"
    ),
    any(ml.nlu_classifier(body.current_thread.text).tags,
        .name == "purchase_order" and .confidence == "high"
    )
  )
  
  // HTML smuggling
  and any(attachments,
          (
            .file_extension in~ ("html", "htm", "shtml", "dhtml")
            or .file_extension in~ $file_extensions_common_archives
            or .file_type == "html"
          )
          and any(file.explode(.),
                  (
                    length(filter(.scan.javascript.identifiers,
                                  strings.like(., "document", "write", "atob")
                           )
                    ) == 3
                    // usage: document['write'](atob)
                    or any(.scan.strings.strings,
                           strings.ilike(., "*document*write*atob*")
                    )
                    // usage: some_var = atob();
                    or any(.scan.strings.strings, strings.ilike(., "*=*atob*;"))
                    // usage: obfuscating "atob"
                    or any(.scan.javascript.identifiers,
                           strings.ilike(., '*ato\u0062*')
                    )
                    // usage: document.head.insertAdjacentHTML("beforeend", atob(...
                    or any(.scan.strings.strings,
                           strings.ilike(.,
                                         "*document*write*atob*",
                                         "*document*insertAdjacentHTML*atob*"
                           )
                    )
                  )
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Content analysis"
  - "File analysis"
  - "HTML analysis"
  - "Javascript analysis"
  - "Natural Language Understanding"
  - "URL analysis"
id: "a47a5755-a698-5daf-98b5-21cdcf893ee2"