← Back to Explore
sublimelowRule
Attachment: Any HTML file (unsolicited)
Potential HTML smuggling attacks in unsolicited messages. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.
Detection Query
type.inbound
and any(attachments,
.file_extension in~ ('htm', 'html') or .file_type == "html"
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication or DMARC is missing
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Attack surface reduction
Raw Content
name: "Attachment: Any HTML file (unsolicited)"
description: |
Potential HTML smuggling attacks in unsolicited messages.
Use if passing HTML files is not normal behavior in your environment.
This rule may be expanded to inspect HTML attachments for suspicious code.
references:
- "https://ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript"
- "https://sandbox.sublimesecurity.com?id=106315e9-166a-4e0f-946e-88ff6fd5f9fd"
type: "rule"
severity: "low"
source: |
type.inbound
and any(attachments,
.file_extension in~ ('htm', 'html') or .file_type == "html"
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication or DMARC is missing
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
tags:
- "Attack surface reduction"
tactics_and_techniques:
- "HTML smuggling"
detection_methods:
- "File analysis"
- "HTML analysis"
- "Sender analysis"
id: "ef36763f-917d-5338-b1ac-84047334dce8"