Attachment: Any HTML file (first-time sender)
Potential HTML smuggling attacks from new senders. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.
Sublime rule (View on GitHub)
1name: "Attachment: Any HTML file (first-time sender)"
2description: |
3 Potential HTML smuggling attacks from new senders.
4 Use if passing HTML files is not normal behavior in your environment.
5 This rule may be expanded to inspect HTML attachments for suspicious code.
6references:
7 - "https://ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript"
8 - "https://sandbox.sublimesecurity.com?id=106315e9-166a-4e0f-946e-88ff6fd5f9fd"
9type: "rule"
10severity: "medium"
11source: |
12 type.inbound
13 and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
14
15 // first-time sender
16 and (
17 (
18 sender.email.domain.root_domain in $free_email_providers
19 and sender.email.email not in $sender_emails
20 )
21 or (
22 sender.email.domain.root_domain not in $free_email_providers
23 and sender.email.domain.domain not in $sender_domains
24 )
25 )
26tags:
27 - "Attack surface reduction"
28tactics_and_techniques:
29 - "HTML smuggling"
30detection_methods:
31 - "HTML analysis"
32 - "Sender analysis"
33id: "57a8f5c5-c4c4-5268-b452-e381dc64ea42"