← Back to Explore
sublimehighRule
Attachment: HTML smuggling with embedded base64 streamed file download
HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.
Detection Query
type.inbound
and any(attachments,
(
.file_extension in~ ("html", "htm", "shtml", "dhtml")
or .file_extension in~ $file_extensions_common_archives
or .file_type == "html"
)
and any(file.explode(.),
any(.scan.strings.strings,
regex.icontains(.,
'<a href="data:application/octet-stream;base64,[a-z0-9/+]+={0,2}" download=".+\.[a-z]{2,3}'
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Malfam: QakBot
Raw Content
name: "Attachment: HTML smuggling with embedded base64 streamed file download"
description: |
HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers
to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_extension in~ ("html", "htm", "shtml", "dhtml")
or .file_extension in~ $file_extensions_common_archives
or .file_type == "html"
)
and any(file.explode(.),
any(.scan.strings.strings,
regex.icontains(.,
'<a href="data:application/octet-stream;base64,[a-z0-9/+]+={0,2}" download=".+\.[a-z]{2,3}'
)
)
)
)
tags:
- "Malfam: QakBot"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "HTML smuggling"
- "Scripting"
- "Social engineering"
detection_methods:
- "Archive analysis"
- "Content analysis"
- "File analysis"
- "HTML analysis"
id: "e04de4e2-154f-5cf9-b108-dbf753ece511"