Attachment: Any HTML file (untrusted sender)

Potential HTML smuggling attacks from new senders. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.

Sublime rule (View on GitHub)

 1name: "Attachment: Any HTML file (untrusted sender)"
 2description: |
 3  Potential HTML smuggling attacks from new senders.
 4  Use if passing HTML files is not normal behavior in your environment.
 5  This rule may be expanded to inspect HTML attachments for suspicious code.  
 6references:
 7  - "https://ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript"
 8  - "https://sandbox.sublimesecurity.com?id=106315e9-166a-4e0f-946e-88ff6fd5f9fd"
 9type: "rule"
10severity: "medium"
11source: |
12  type.inbound
13  and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
14  and (
15    (
16      profile.by_sender().prevalence in ("new", "outlier")
17      and not profile.by_sender().solicited
18    )
19    or profile.by_sender().any_messages_malicious_or_spam
20  )
21  and not profile.by_sender().any_false_positives
22
23  // negate highly trusted sender domains unless they fail DMARC authentication
24  and
25  (
26    (
27      sender.email.domain.root_domain in $high_trust_sender_root_domains
28      and (
29        any(distinct(headers.hops, .authentication_results.dmarc is not null),
30            strings.ilike(.authentication_results.dmarc, "*fail")
31        )
32      )
33    )
34    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
35  )  
36
37tags:
38  - "Attack surface reduction"
39tactics_and_techniques:
40  - "HTML smuggling"
41detection_methods:
42  - "HTML analysis"
43  - "Sender analysis"
44id: "57a8f5c5-c4c4-5268-b452-e381dc64ea42"

Related rules

to-top