Attachment: EML with Embedded Javascript in SVG File (unsolicited)
Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.
Sublime rule (View on GitHub)
1name: "Attachment: EML with Embedded Javascript in SVG File (unsolicited)"
2description: "Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 (.content_type == "message/rfc822" or .file_extension =~ "eml")
9 and any(file.parse_eml(.).attachments,
10 .file_extension =~ "svg"
11 and (
12 strings.ilike(file.parse_text(.).text,
13 "*onload*",
14 "*window.location.href*",
15 "*onerror*",
16 "*CDATA*",
17 "*<script>*",
18 "*</script>*"
19 )
20 or regex.icontains(file.parse_text(.).text,
21 '<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
22 )
23 or any(beta.scan_base64(file.parse_text(.).text),
24 strings.ilike(.,
25 "*onload*",
26 "*window.location.href*",
27 "*onerror*",
28 "*CDATA*",
29 "*<script>*",
30 "*</script>*"
31 )
32 )
33 )
34 )
35 )
36 and (
37 not profile.by_sender().solicited
38 or (
39 profile.by_sender().any_messages_malicious_or_spam
40 and not profile.by_sender().any_false_positives
41 )
42 )
43attack_types:
44 - "Credential Phishing"
45 - "Malware/Ransomware"
46tactics_and_techniques:
47 - "Scripting"
48 - "Evasion"
49detection_methods:
50 - "File analysis"
51 - "Javascript analysis"
52 - "Sender analysis"
53id: "dfafb78f-f22b-5675-a54b-3d5602ae31ea"