EXPLORE DETECTIONS
Attachment: HTML smuggling Microsoft sign in
Scans HTML files to detect HTML smuggling techniques impersonating a Microsoft login page.
Attachment: HTML smuggling with atob and high entropy
Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.
Attachment: HTML smuggling with atob and high entropy via calendar invite
Scans calendar invites (.ics files) to detect HTML smuggling techniques.
Attachment: HTML smuggling with auto-downloaded file
HTML attachments containing files that are automatically downloaded with Javascript.
Attachment: HTML smuggling with base64 encoded JavaScript function
This rule identifies attachments that either have an HTML extension, lack any file extension, or possess an unrecognized file type and are employing Base64 encoding to conceal JavaScript functions within HTML script tags with little to no other content. Such obfuscation tactics have been frequently observed in credential phishing campaigns.
Attachment: HTML smuggling with base64 encoded ZIP file
Detects HTML attachments containing base64-encoded ZIP or Office files alongside JavaScript decoding functions such as atob, fromCharCode, or base64. This technique is commonly used to evade security controls by hiding malicious files within HTML content that are decoded and executed client-side.
Attachment: HTML smuggling with concatenation obfuscation
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML smuggling with decimal encoding
Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures.
Attachment: HTML smuggling with embedded base64 streamed file download
HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.
Attachment: HTML smuggling with embedded base64-encoded executable
HTML attachmemt contains a base-64 encoded executable.
Attachment: HTML smuggling with embedded base64-encoded ISO
HTML attachment contains a base-64 encoded ISO. This is a known TTP for multiple threat actors.
Attachment: HTML smuggling with eval and atob
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML smuggling with eval and atob via calendar invite
Scans calendar invites (.ics files) to detect HTML smuggling techniques.
Attachment: HTML smuggling with excessive line break obfuscation
Credential Phishing attacks have been observed using excessive line breaks to obfuscate javascript functions within html files.
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
Attached HTML file contains excessive string concatenation, a recipient's email address, and an indicator of HTML smuggling. This pattern has been seen in the wild in an attempt to obfuscate the file's contents.
Attachment: HTML smuggling with fromCharCode and other signals
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML smuggling with hex strings
Recursively scans files and archives to detect HTML smuggling using hex-encoded string content.
Attachment: HTML smuggling with high entropy and other signals
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML smuggling with raw array buffer
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML smuggling with RC4 decryption
Potential HTML smuggling. The RC4 algorithm is used within inline JavaScript to decrypt the payload on-the-fly.
Attachment: HTML smuggling with ROT13
Potential HTML obfuscation attack based on suspicious JavaScript identifiers. Some attackers may use obfuscation techniques such as ROT13 to bypass email security filters. This rule may be expanded to inspect HTML attachments for other suspicious identifiers.
Attachment: HTML smuggling with setTimeout
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML smuggling with unescape
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML with emoji-to-character map
Detects inbound messages containing HTML attachments with an unusually high number of emojis in a list, sent from untrusted or suspicious senders who lack an established sending history or have previous malicious behavior.