EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Attachment: HTML smuggling with excessive string concatenation and suspicious patterns

Attached HTML file contains excessive string concatenation, a recipient's email address, and an indicator of HTML smuggling. This pattern has been seen in the wild in an attempt to obfuscate the file's contents.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027T1059
defense-evasionexecutioninitial-access

Detection Query

type.inbound
and any(attachments,
        // HTML file, or something like it
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or (
            .file_extension is null
            and .file_type == "unknown"
            and .content_type == "application/octet-stream"
            and .size < 100000000
          )
          or .file_type == "html"
        )

        // small HTML file
        and .size < 5000

        // lots of concatenation (obfuscation technique)
        and strings.count(file.parse_html(.).raw, "+") > 20

        // contains a recipient's email address
        and any(recipients.to,
                strings.icontains(file.parse_html(..).raw, .email.email)
                and .email.domain.valid
        )

        // HTML smuggling
        and 1 of (
          strings.ilike(file.parse_html(.).raw, "*window.location.href*"),
          strings.ilike(file.parse_html(.).raw, "*createObjectURL*")
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: HTML smuggling with excessive string concatenation and suspicious patterns"
description: "Attached HTML file contains excessive string concatenation, a recipient's email address, and an indicator of HTML smuggling. This pattern has been seen in the wild in an attempt to obfuscate the file's contents."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(attachments,
          // HTML file, or something like it
          (
            .file_extension in~ ("html", "htm", "shtml", "dhtml")
            or (
              .file_extension is null
              and .file_type == "unknown"
              and .content_type == "application/octet-stream"
              and .size < 100000000
            )
            or .file_type == "html"
          )
  
          // small HTML file
          and .size < 5000
  
          // lots of concatenation (obfuscation technique)
          and strings.count(file.parse_html(.).raw, "+") > 20
  
          // contains a recipient's email address
          and any(recipients.to,
                  strings.icontains(file.parse_html(..).raw, .email.email)
                  and .email.domain.valid
          )
  
          // HTML smuggling
          and 1 of (
            strings.ilike(file.parse_html(.).raw, "*window.location.href*"),
            strings.ilike(file.parse_html(.).raw, "*createObjectURL*")
          )
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "HTML smuggling"
  - "Scripting"
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "HTML analysis"
  - "Javascript analysis"
id: "e34fce8d-e454-5090-99c6-bc66e1023957"