EXPLORE DETECTIONS
Attachment: HTML file contains exclusively Javascript
Attached HTML file does not contain any HTML other than a <script> block.
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
Detects messages with HTML attachments containing multiple 'const' declarations while excluding legitimate Gmail messages. This is evidence of potential code injection or obfuscation techniques.
Attachment: HTML file with excessive padding and suspicious patterns
Attached HTML file contains excessive line breaks and suspicious Javascript patterns.
Attachment: HTML file with reference to recipient and suspicious patterns
Attached HTML file (or HTML file within an attached email) contains references to the recipients email address, indicative of credential phishing, and suspicious Javascript patterns.
Attachment: HTML smuggling - QR Code with suspicious links
This rule detects messages with HTML attachments containing QR codes
Attachment: HTML smuggling 'body onload' linking to suspicious destination
Potential HTML Smuggling. This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD.
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
Potential HTML Smuggling. This rule inspects HTML attachments that contain "body unload", high entropy, and suspicious text.
Attachment: HTML smuggling Microsoft sign in
Scans HTML files to detect HTML smuggling techniques impersonating a Microsoft login page.
Attachment: HTML smuggling with atob and high entropy
Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.
Attachment: HTML smuggling with atob and high entropy via calendar invite
Scans calendar invites (.ics files) to detect HTML smuggling techniques.
Attachment: HTML smuggling with auto-downloaded file
HTML attachments containing files that are automatically downloaded with Javascript.
Attachment: HTML smuggling with base64 encoded JavaScript function
This rule identifies attachments that either have an HTML extension, lack any file extension, or possess an unrecognized file type and are employing Base64 encoding to conceal JavaScript functions within HTML script tags with little to no other content. Such obfuscation tactics have been frequently observed in credential phishing campaigns.
Attachment: HTML smuggling with base64 encoded ZIP file
Detects HTML attachments containing base64-encoded ZIP or Office files alongside JavaScript decoding functions such as atob, fromCharCode, or base64. This technique is commonly used to evade security controls by hiding malicious files within HTML content that are decoded and executed client-side.
Attachment: HTML smuggling with concatenation obfuscation
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML smuggling with decimal encoding
Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures.
Attachment: HTML smuggling with embedded base64 streamed file download
HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.
Attachment: HTML smuggling with embedded base64-encoded executable
HTML attachmemt contains a base-64 encoded executable.
Attachment: HTML smuggling with embedded base64-encoded ISO
HTML attachment contains a base-64 encoded ISO. This is a known TTP for multiple threat actors.
Attachment: HTML smuggling with eval and atob
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML smuggling with eval and atob via calendar invite
Scans calendar invites (.ics files) to detect HTML smuggling techniques.
Attachment: HTML smuggling with excessive line break obfuscation
Credential Phishing attacks have been observed using excessive line breaks to obfuscate javascript functions within html files.
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
Attached HTML file contains excessive string concatenation, a recipient's email address, and an indicator of HTML smuggling. This pattern has been seen in the wild in an attempt to obfuscate the file's contents.
Attachment: HTML smuggling with fromCharCode and other signals
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML smuggling with hex strings
Recursively scans files and archives to detect HTML smuggling using hex-encoded string content.