Attachment: EML with Suspicious Indicators

calendar Jun 2, 2025  ·
Share on: linkedin copy

Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.

Sublime rule (View on GitHub)

 1name: "Attachment: EML with Suspicious Indicators"
 2description: "Attached EML contains suspicious indicators, such as a missing sender email or short HTML body."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // a single attachmed EML
 9    length(attachments) == 1
10    // or a single attached EML with one or more images used in the body of the message
11    // likely within the signatures
12    or (
13      length(filter(attachments,
14                    .file_extension == "eml" or .content_type == "message/rfc822"
15             )
16      ) == 1
17      and length(filter(attachments,
18                        .file_type in $file_types_images
19                        and 
20                        (
21                          any(regex.extract(.content_id, '^<(?P<cid>.*)\>$'),
22                            strings.icontains(body.html.raw,
23                                              .named_groups["cid"]
24                            )
25                          )
26                          or strings.icontains(body.html.raw, .content_id)
27                        )
28                 )
29      ) == length(attachments) - 1
30    )
31  )
32  and (
33    length(body.current_thread.text) < 300
34    or body.current_thread.text is null
35    or any(ml.nlu_classifier(body.current_thread.text).intents,
36           .name in ("cred_theft", "steal_pii")
37    )
38  )
39  and not any(ml.nlu_classifier(body.current_thread.text).intents,
40              .name == "benign" and .confidence == "high"
41  )
42  and any(attachments,
43          (.file_extension == "eml" or .content_type == "message/rfc822")
44          and (
45            // suspicious indicators
46            file.parse_eml(.).sender.email.email == ""
47            or length(file.parse_eml(.).body.html.raw) < 10
48            or length(file.parse_eml(.).headers.hops) < 2
49            // the sender of the outer message is the recipient of the outer message
50            // and the sender and recipient of the inner message
51            or (
52              sender.email.email in map(recipients.to, .email.email)
53              and length(recipients.to) == 1
54              and sender.email.email == file.parse_eml(.).sender.email.email
55              and sender.email.email in map(file.parse_eml(.).recipients.to, .email.email) 
56              and length(file.parse_eml(.).recipients.to) == 1
57            )
58            
59          )
60          and not (
61            all(file.parse_eml(.).body.links,
62                .href_url.domain.root_domain in ("aka.ms", "office365.com")
63                or .href_url.url == "#additionalatt"
64            )
65            and strings.icontains(file.parse_eml(.).body.current_thread.text,
66                                  "We’re making sure your attachments are safe"
67            )
68          )
69          and file.parse_eml(.).sender.email.domain.root_domain not in $org_domains
70  )
71  and (
72    not profile.by_sender().solicited
73    or (
74      profile.by_sender().any_messages_malicious_or_spam
75      and not profile.by_sender().any_false_positives
76    )
77  )
78  
79  // negate highly trusted sender domains unless they fail DMARC authentication
80  and (
81    (
82      sender.email.domain.root_domain in $high_trust_sender_root_domains
83      and not headers.auth_summary.dmarc.pass
84    )
85    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
86  )  
87attack_types:
88  - "Credential Phishing"
89tactics_and_techniques:
90  - "Evasion"
91  - "HTML smuggling"
92  - "Social engineering"
93detection_methods:
94  - "Content analysis"
95  - "File analysis"
96id: "deb5d08d-92b7-5f7b-a7b0-e5053221c2f5"
to-top