Attachment: EML file contains HTML attachment with login portal indicators

 1name: "Attachment: EML file contains HTML attachment with login portal indicators"
 2description: |
 3    Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8
 9  // exclude bounce backs & read receipts
10  and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
11  and not regex.imatch(subject.subject, "(undeliverable|read:).*")
12  and not any(attachments, .content_type == "message/delivery-status")
13
14  // if the "References" is in the body of the message, it's probably a bounce
15  and not any(headers.references, strings.contains(body.html.display_text, .))
16  and (
17    (length(headers.references) == 0 and headers.in_reply_to is null)
18    or (
19      not strings.istarts_with(subject.subject, "re:")
20      and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
21      and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to"))
22    )
23  )
24  and any(attachments,
25          .content_type == "message/rfc822"
26          and any(file.explode(.),
27                  // suspicious strings found in javascript
28                  length(filter(.scan.javascript.strings,
29                                strings.ilike(.,
30                                              "*username*",
31                                              "*login-form*",
32                                              "*email-form*",
33                                              "*Incorrect password. Please try again.*",
34                                              "*Password Incomplete, please try again*"
35                                )
36                         )
37                  ) >= 3
38                  or (
39
40                    // suspicious strings found outside of javascript, but binexplode'd file still of HTML type
41                    .flavors.mime in~ ("text/html", "text/plain")
42                    and 3 of (
43                      any(.scan.strings.strings, strings.ilike(., "*username*")),
44                      any(.scan.strings.strings, strings.ilike(., "*login-form*")),
45                      any(.scan.strings.strings, strings.ilike(., "*email-form*")),
46                      any(.scan.strings.strings,
47                          strings.ilike(., "*Incorrect password. Please try again.*")
48                      ),
49                      any(.scan.strings.strings,
50                          strings.ilike(., "*Password Incomplete, please try again*")
51                      )
52                    )
53                  )
54                  or 
55
56                  //Known phishing obfuscation
57                  2 of (
58                    // Enter password
59                    any(.scan.strings.strings,
60                        strings.ilike(.,
61                                      "*Enter passwor&#100*"
62                        )
63                    ),
64                    // Forgotten my password
65                    any(.scan.strings.strings,
66                        strings.ilike(.,
67                                      "*Forgotten my passwor&#100*"
68                        )
69                    ),
70                    // Sign in
71                    any(.scan.strings.strings,
72                        strings.ilike(., "*Sign i&#110*")
73                    )
74                  )
75          )
76  )  
77attack_types:
78  - "Credential Phishing"
79tactics_and_techniques:
80  - "Evasion"
81  - "HTML smuggling"
82detection_methods:
83  - "Content analysis"
84  - "File analysis"
85  - "Header analysis"
86  - "HTML analysis"
87  - "Javascript analysis"
88  - "Sender analysis"
89id: "6e4df158-6498-572b-9448-a343c531e5f9"```