Attachment: EML containing a base64 encoded script

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Attached EML contains a base64 encoded script in the message body.

Sublime rule (View on GitHub)

 1name: "Attachment: EML containing a base64 encoded script"
 2description: "Attached EML contains a base64 encoded script in the message body."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1000
 8  and any(attachments,
 9          (.content_type == "message/rfc822" or .file_extension == "eml")
10          and strings.ilike(file.parse_eml(.).body.html.raw,
11                            "*script*data:text/html;base64*"
12          )
13  )
14  // exclude bounce backs & read receipts
15  and not strings.like(sender.email.local_part,
16                       "*postmaster*",
17                       "*mailer-daemon*",
18                       "*administrator*"
19  )
20  and not any(attachments, .content_type == "message/delivery-status")  
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "Evasion"
25  - "HTML smuggling"
26  - "Scripting"
27  - "Social engineering"
28detection_methods:
29  - "File analysis"
30  - "HTML analysis"
31  - "Sender analysis"
32id: "fc3d9445-b977-5653-814f-079d40c04609"
to-top