← Back to Explore
sublimehighRule
Attachment: Archive containing HTML file with file scheme link
Attached archive contains an HTML file with a file:// link, likely pointing to an SMB server. This technique can be used to steal NTLM hashes of users who open the HTML file. Known technique of TA577.
Detection Query
type.inbound
and any(attachments,
.file_extension in $file_extensions_common_archives
and any(file.explode(.),
(
.file_extension in~ ("html", "htm", "shtml", "dhtml")
or .flavors.mime == "text/html"
or any(.flavors.yara, . == "html_file")
)
and any(.scan.url.urls, .scheme == "file")
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Archive containing HTML file with file scheme link"
description: "Attached archive contains an HTML file with a file:// link, likely pointing to an SMB server. This technique can be used to steal NTLM hashes of users who open the HTML file. Known technique of TA577."
references:
- "https://www.bleepingcomputer.com/news/security/hackers-steal-windows-ntlm-authentication-hashes-in-phishing-attacks/"
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
.file_extension in $file_extensions_common_archives
and any(file.explode(.),
(
.file_extension in~ ("html", "htm", "shtml", "dhtml")
or .flavors.mime == "text/html"
or any(.flavors.yara, . == "html_file")
)
and any(.scan.url.urls, .scheme == "file")
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Exploit"
- "HTML smuggling"
- "Social engineering"
detection_methods:
- "Archive analysis"
- "File analysis"
- "HTML analysis"
id: "edf6d0d9-7d8e-5787-8467-7ca8b61a1b4c"