Attachment: Any HTML file (unsolicited)
Potential HTML smuggling attacks in unsolicited messages. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.
Sublime rule (View on GitHub)
1name: "Attachment: Any HTML file (unsolicited)"
2description: |
3 Potential HTML smuggling attacks in unsolicited messages.
4 Use if passing HTML files is not normal behavior in your environment.
5 This rule may be expanded to inspect HTML attachments for suspicious code.
6references:
7 - "https://ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript"
8 - "https://sandbox.sublimesecurity.com?id=106315e9-166a-4e0f-946e-88ff6fd5f9fd"
9type: "rule"
10severity: "low"
11source: |
12 type.inbound
13 and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
14 and (
15 not profile.by_sender().solicited
16 or profile.by_sender().any_messages_malicious_or_spam
17 )
18
19 and not profile.by_sender().any_false_positives
20
21 // negate highly trusted sender domains unless they fail DMARC authentication
22 and (
23 (
24 sender.email.domain.root_domain in $high_trust_sender_root_domains
25 and not headers.auth_summary.dmarc.pass
26 )
27 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
28 )
29
30tags:
31 - "Attack surface reduction"
32tactics_and_techniques:
33 - "HTML smuggling"
34detection_methods:
35 - "File analysis"
36 - "HTML analysis"
37 - "Sender analysis"
38id: "ef36763f-917d-5338-b1ac-84047334dce8"