Attachment: EML containing a base64 encoded script

Attached EML contains a base64 encoded script in the message body.

Sublime rule (View on GitHub)

 1name: "Attachment: EML containing a base64 encoded script"
 2description: "Attached EML contains a base64 encoded script in the message body."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1000
 8  and any(attachments,
 9          (.content_type == "message/rfc822" or .file_extension == "eml")
10          and strings.ilike(file.parse_eml(.).body.html.raw, "*script*data:text/html;base64*")
11  )
12  // exclude bounce backs & read receipts
13  and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
14  and not any(attachments, .content_type == "message/delivery-status")  
15attack_types:
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Evasion"
19  - "HTML smuggling"
20  - "Scripting"
21  - "Social engineering"
22detection_methods:
23  - "File analysis"
24  - "HTML analysis"
25  - "Sender analysis"
26id: "fc3d9445-b977-5653-814f-079d40c04609"
to-top