Attachment: EML containing a base64 encoded script
Attached EML contains a base64 encoded script in the message body.
Sublime rule (View on GitHub)
1name: "Attachment: EML containing a base64 encoded script"
2description: "Attached EML contains a base64 encoded script in the message body."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(body.current_thread.text) < 1000
8 and any(attachments,
9 (.content_type == "message/rfc822" or .file_extension == "eml")
10 and strings.ilike(file.parse_eml(.).body.html.raw, "*script*data:text/html;base64*")
11 )
12 // exclude bounce backs & read receipts
13 and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
14 and not any(attachments, .content_type == "message/delivery-status")
15attack_types:
16 - "Credential Phishing"
17tactics_and_techniques:
18 - "Evasion"
19 - "HTML smuggling"
20 - "Scripting"
21 - "Social engineering"
22detection_methods:
23 - "File analysis"
24 - "HTML analysis"
25 - "Sender analysis"
26id: "fc3d9445-b977-5653-814f-079d40c04609"