Attachment: Any HTML file within archive (unsolicited)

Recursively scans archives to detect HTML files from unsolicited senders.

HTML files can be used for HTML smuggling and embedded in archives to evade detection.

Sublime rule (View on GitHub)

 1name: "Attachment: Any HTML file within archive (unsolicited)"
 2description: |
 3  Recursively scans archives to detect HTML files from unsolicited senders. 
 4
 5  HTML files can be used for HTML smuggling and embedded in archives to evade detection.  
 6references:
 7  - "https://twitter.com/executemalware/status/1537569201577156611"
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and any(attachments,
13          .file_extension in~ $file_extensions_common_archives
14          and any(file.explode(.), .depth > 0 and .file_extension in~ ("html", "htm"))
15  )
16  and (
17    not profile.by_sender().solicited
18    or (
19      profile.by_sender().any_messages_malicious_or_spam
20    )
21  )
22
23  and not profile.by_sender().any_false_positives  
24tags:
25  - "Attack surface reduction"
26attack_types:
27  - "Credential Phishing"
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Evasion"
31  - "HTML smuggling"
32detection_methods:
33  - "Archive analysis"
34  - "File analysis"
35id: "6a67c02c-d405-531e-850a-1722849c5fe4"

Related rules

to-top