Attachment: EML with suspicious indicators

calendar Jan 12, 2026  ·
Share on: linkedin copy

Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.

Sublime rule (View on GitHub)

 1name: "Attachment: EML with suspicious indicators"
 2description: "Attached EML contains suspicious indicators, such as a missing sender email or short HTML body."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // a single attachmed EML
 9    length(attachments) == 1
10    // or a single attached EML with one or more images used in the body of the message
11    // likely within the signatures
12    or (
13      length(filter(attachments,
14                    .file_extension == "eml" or .content_type == "message/rfc822"
15             )
16      ) == 1
17      and length(filter(attachments,
18                        .file_type in $file_types_images
19                        and (
20                          any(regex.extract(.content_id, '^<(?P<cid>.*)\>$'),
21                              strings.icontains(body.html.raw,
22                                                .named_groups["cid"]
23                              )
24                          )
25                          or strings.icontains(body.html.raw, .content_id)
26                        )
27                 )
28      ) == length(attachments) - 1
29    )
30  )
31  and (
32    length(body.current_thread.text) < 300
33    or body.current_thread.text is null
34    or any(ml.nlu_classifier(body.current_thread.text).intents,
35           .name in ("cred_theft", "steal_pii")
36    )
37  )
38  and not any(ml.nlu_classifier(body.current_thread.text).intents,
39              .name == "benign" and .confidence == "high"
40  )
41  and any(attachments,
42          (.file_extension == "eml" or .content_type == "message/rfc822")
43          and (
44            // suspicious indicators
45            file.parse_eml(.).sender.email.email == ""
46            or length(file.parse_eml(.).body.html.raw) < 10
47            or length(file.parse_eml(.).headers.hops) < 2
48            // the sender of the outer message is the recipient of the outer message
49            // and the sender and recipient of the inner message
50            or (
51              sender.email.email in map(recipients.to, .email.email)
52              and length(recipients.to) == 1
53              and sender.email.email == file.parse_eml(.).sender.email.email
54              and sender.email.email in map(file.parse_eml(.).recipients.to,
55                                            .email.email
56              )
57              and length(file.parse_eml(.).recipients.to) == 1
58            )
59          )
60          and not (
61            all(file.parse_eml(.).body.links,
62                .href_url.domain.root_domain in ("aka.ms", "office365.com")
63                or .href_url.url == "#additionalatt"
64            )
65            and strings.icontains(file.parse_eml(.).body.current_thread.text,
66                                  "We’re making sure your attachments are safe"
67            )
68          )
69          and file.parse_eml(.).sender.email.domain.root_domain not in $org_domains
70  )
71  and (
72    not profile.by_sender().solicited
73    or (
74      profile.by_sender().any_messages_malicious_or_spam
75      and not profile.by_sender().any_messages_benign
76    )
77  )
78  
79  // negate highly trusted sender domains unless they fail DMARC authentication
80  and (
81    (
82      sender.email.domain.root_domain in $high_trust_sender_root_domains
83      and not headers.auth_summary.dmarc.pass
84    )
85    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
86  )  
87attack_types:
88  - "Credential Phishing"
89tactics_and_techniques:
90  - "Evasion"
91  - "HTML smuggling"
92  - "Social engineering"
93detection_methods:
94  - "Content analysis"
95  - "File analysis"
96id: "deb5d08d-92b7-5f7b-a7b0-e5053221c2f5"
to-top