EXPLORE

EXPLORE DETECTIONS

🔍
1,155 detections found

Attachment: HTML smuggling with fromCharCode and other signals

Recursively scans files and archives to detect HTML smuggling techniques.

T1566T1566.001T1566.002T1598T1204.002+4
Sublimehigh

Attachment: HTML smuggling with hex strings

Recursively scans files and archives to detect HTML smuggling using hex-encoded string content.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimemedium

Attachment: HTML smuggling with high entropy and other signals

Recursively scans files and archives to detect HTML smuggling techniques.

T1566.001T1204.002T1486T1036T1027+1
Sublimehigh

Attachment: HTML smuggling with raw array buffer

Recursively scans files and archives to detect HTML smuggling techniques.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimehigh

Attachment: HTML smuggling with RC4 decryption

Potential HTML smuggling. The RC4 algorithm is used within inline JavaScript to decrypt the payload on-the-fly.

T1566T1566.001T1566.002T1598T1204.002+5
Sublimehigh

Attachment: HTML smuggling with ROT13

Potential HTML obfuscation attack based on suspicious JavaScript identifiers. Some attackers may use obfuscation techniques such as ROT13 to bypass email security filters. This rule may be expanded to inspect HTML attachments for other suspicious identifiers.

T1566T1566.001T1566.002T1598T1204.002+5
Sublimehigh

Attachment: HTML smuggling with setTimeout

Recursively scans files and archives to detect HTML smuggling techniques.

T1566T1566.001T1566.002T1598T1204.002+4
Sublimehigh

Attachment: HTML smuggling with unescape

Recursively scans files and archives to detect HTML smuggling techniques.

T1566T1566.001T1566.002T1598T1204.002+4
Sublimehigh

Attachment: HTML with emoji-to-character map

Detects inbound messages containing HTML attachments with an unusually high number of emojis in a list, sent from untrusted or suspicious senders who lack an established sending history or have previous malicious behavior.

T1566T1566.001T1566.002T1598T1036+3
Sublimehigh

Attachment: HTML with hidden body

This rule identifies HTML attachments which begin directly with a hidden body element. This has been observed in phishing campaigns to hide the content of an otherwise benign HTML attachment that then has remote content injected into the body.

T1566T1566.001T1566.002T1598T1036+2
Sublimehigh

Attachment: HTML with JavaScript functions for HTTP requests

This rule identifies HTML attachments which contain multiple references to JavaScript functions that support making HTTP requests. This has been observed in phishing campaigns to load remote payloads into otherwise benign HTML attachments.

T1566T1566.001T1566.002T1598T1036+2
Sublimehigh

Attachment: HTML with obfuscation and recipient's email in JavaScript strings

Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript

T1566T1566.001T1566.002T1598T1059
Sublimehigh

Attachment: ICS calendar file with base64 encoded recipient address in URL parameters

Detects inbound messages containing ICS calendar attachments where event links have multiple URL parameters, and the base64 decoded combination of those parameters matches the recipient's email address. This technique may be used to personalize malicious links or track specific targets.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: ICS calendar file with QR code containing recipient email address

Detects calendar attachments (.ics files) containing QR codes that include the recipient's email address in the URL, URL fragment, or base64-encoded data. This technique is commonly used to personalize credential theft attacks by embedding the target's email address within calendar invitations.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: ICS calendar file with recipient address in UID field

Detects inbound messages containing ICS calendar attachments where the UID property matches the recipient's email address, indicating potential calendar-based social engineering.

T1566T1566.001T1566.002T1598
Sublimehigh

Attachment: ICS calendar file with suspicious product identifier

Detects inbound messages containing ICS calendar attachments that have product identifiers matching patterns commonly associated with malicious calendar invitations. The rule identifies ICS files through multiple detection methods and analyzes the product_id field for suspicious formatting that may indicate automated generation or spoofing attempts.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Attachment: ICS calendar file with suspicious UID domain

Detects inbound messages containing ICS calendar attachments where the event UID property ends with a specific domain (@example.com). Malicious actors may use calendar invites to socially engineer recipients into accepting fraudulent meetings or following malicious instructions embedded in calendar events.

T1566T1566.001T1566.002T1598T1534+1
Sublimemedium

Attachment: ICS calendar with embedded file from internal sender with SPF failure

Detects calendar invitations (ICS files) from internal domains that fail SPF authentication and contain embedded attachments, with single attendee and organizer both from organizational domains.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: ICS file with AWS Lambda URL

Detects ICS calendar files that contain references to AWS Lambda URLs, which may be used to deliver malicious content or redirect users to suspicious resources.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimemedium

Attachment: ICS file with excessive custom properties

ICS calendar attachment contains an unusually high number of custom X- properties, which may indicate attempts to hide malicious content or exploit calendar parsing vulnerabilities.

T1566.001T1204.002T1486T1036T1027
Sublimemedium

Attachment: ICS file with links to newly registered domains

Detects calendar invite attachments (ICS files) containing links to domains registered within the last 30 days, which may indicate malicious calendar invitations designed to redirect users to suspicious websites.

T1566T1566.001T1566.002T1598
Sublimemedium

Attachment: ICS file with meeting prefix

Detects incoming messages with a single ICS calendar file attachment that has a filename starting with 'meeting_'.

T1566.002T1534T1656T1566T1566.001+1
Sublimehigh

Attachment: ICS file with non-Gregorian calendar scale

Detects ICS calendar attachments that use a non-standard calendar scale other than GREGORIAN, which may indicate malicious calendar files attempting to exploit calendar parsing vulnerabilities or bypass security filters.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Attachment: ICS with embedded document

ICS invite contains an embedded document.

T1566.001T1204.002T1486T1036T1027
Sublimelow
PreviousPage 6 of 49Next