← Back to Explore
sublimehighRule
Attachment: EML containing a base64 encoded script
Attached EML contains a base64 encoded script in the message body.
Detection Query
type.inbound
and length(body.current_thread.text) < 1000
and any(attachments,
(.content_type == "message/rfc822" or .file_extension == "eml")
and strings.ilike(file.parse_eml(.).body.html.raw,
"*script*data:text/html;base64*"
)
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
and not any(attachments, .content_type == "message/delivery-status")
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: EML containing a base64 encoded script"
description: "Attached EML contains a base64 encoded script in the message body."
type: "rule"
severity: "high"
source: |
type.inbound
and length(body.current_thread.text) < 1000
and any(attachments,
(.content_type == "message/rfc822" or .file_extension == "eml")
and strings.ilike(file.parse_eml(.).body.html.raw,
"*script*data:text/html;base64*"
)
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
and not any(attachments, .content_type == "message/delivery-status")
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "HTML smuggling"
- "Scripting"
- "Social engineering"
detection_methods:
- "File analysis"
- "HTML analysis"
- "Sender analysis"
id: "fc3d9445-b977-5653-814f-079d40c04609"