Attachment: EML file contains HTML attachment with login portal indicators
Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.
Sublime rule (View on GitHub)
1name: "Attachment: EML file contains HTML attachment with login portal indicators"
2description: |
3 Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8
9 // exclude bounce backs & read receipts
10 and not strings.like(sender.email.local_part,
11 "*postmaster*",
12 "*mailer-daemon*",
13 "*administrator*"
14 )
15 and not regex.imatch(subject.subject, "(undeliverable|read:).*")
16 and not any(attachments, .content_type == "message/delivery-status")
17
18 // if the "References" is in the body of the message, it's probably a bounce
19 and not any(headers.references, strings.contains(body.html.display_text, .))
20 and (
21 (length(headers.references) == 0 and headers.in_reply_to is null)
22 or (
23 not strings.istarts_with(subject.subject, "re:")
24 and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
25 and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to"))
26 )
27 )
28 and any(attachments,
29 (.content_type == "message/rfc822" or .file_extension in ('eml'))
30 and any(file.explode(.),
31 // suspicious strings found in javascript
32 length(filter(.scan.javascript.strings,
33 strings.ilike(.,
34 "*username*",
35 "*login-form*",
36 "*email-form*",
37 "*Incorrect password. Please try again.*",
38 "*Password Incomplete, please try again*"
39 )
40 )
41 ) >= 3
42 or (
43
44 // suspicious strings found outside of javascript, but binexplode'd file still of HTML type
45 .flavors.mime in~ ("text/html", "text/plain")
46 and 3 of (
47 any(.scan.strings.strings, strings.ilike(., "*username*")),
48 any(.scan.strings.strings, strings.ilike(., "*login-form*")),
49 any(.scan.strings.strings, strings.ilike(., "*email-form*")),
50 any(.scan.strings.strings,
51 strings.ilike(.,
52 "*Incorrect password. Please try again.*"
53 )
54 ),
55 any(.scan.strings.strings,
56 strings.ilike(.,
57 "*Password Incomplete, please try again*"
58 )
59 )
60 )
61 )
62 or
63
64 // Known phishing obfuscation
65 2 of (
66 // Enter password
67 any(.scan.strings.strings,
68 strings.ilike(.,
69 "*Enter password*"
70 )
71 ),
72 // Forgotten my password
73 any(.scan.strings.strings,
74 strings.ilike(.,
75 "*Forgotten my password*"
76 )
77 ),
78 // Sign in
79 any(.scan.strings.strings,
80 strings.ilike(.,
81 "*Sign in*"
82 )
83 )
84 )
85 )
86 )
87attack_types:
88 - "Credential Phishing"
89tactics_and_techniques:
90 - "Evasion"
91 - "HTML smuggling"
92detection_methods:
93 - "Content analysis"
94 - "File analysis"
95 - "Header analysis"
96 - "HTML analysis"
97 - "Javascript analysis"
98 - "Sender analysis"
99id: "6e4df158-6498-572b-9448-a343c531e5f9"