Attachment: Any HTML file within archive (unsolicited)

calendar Jan 12, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Recursively scans archives to detect HTML files from unsolicited senders.

HTML files can be used for HTML smuggling and embedded in archives to evade detection.

Sublime rule (View on GitHub)

 1name: "Attachment: Any HTML file within archive (unsolicited)"
 2description: |
 3  Recursively scans archives to detect HTML files from unsolicited senders. 
 4
 5  HTML files can be used for HTML smuggling and embedded in archives to evade detection.  
 6references:
 7  - "https://twitter.com/executemalware/status/1537569201577156611"
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and any(attachments,
13          .file_extension in~ $file_extensions_common_archives
14          and any(file.explode(.),
15                  .depth > 0 and .file_extension in~ ("html", "htm")
16          )
17  )
18  and (
19    not profile.by_sender().solicited
20    or (profile.by_sender().any_messages_malicious_or_spam)
21  )
22  and not profile.by_sender().any_messages_benign  
23tags:
24  - "Attack surface reduction"
25attack_types:
26  - "Credential Phishing"
27  - "Malware/Ransomware"
28tactics_and_techniques:
29  - "Evasion"
30  - "HTML smuggling"
31detection_methods:
32  - "Archive analysis"
33  - "File analysis"
34id: "6a67c02c-d405-531e-850a-1722849c5fe4"

Related rules

to-top