Attachment: EML with Embedded Javascript in SVG File

calendar Apr 17, 2025  ·
Share on: linkedin copy

Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.

Sublime rule (View on GitHub)

  1name: "Attachment: EML with Embedded Javascript in SVG File"
  2description: "Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and any(attachments,
  8          (.content_type == "message/rfc822" or .file_extension =~ "eml")
  9          and (
 10            any(file.parse_eml(.).attachments,
 11                .file_extension in~ ("svg", "svgz")
 12                and (
 13                  (
 14                    strings.ilike(file.parse_text(.,
 15                                                  encodings=[
 16                                                    "ascii",
 17                                                    "utf8",
 18                                                    "utf16-le"
 19                                                  ]
 20                                  ).text,
 21                                  "*onload*",
 22                                  "*window.location.href*",
 23                                  "*onerror*",
 24                                  "*CDATA*",
 25                                  "*<script*",
 26                                  "*</script*",
 27                                  "*atob*",
 28                                  '*location.assign*',
 29                                  '*decodeURIComponent*'
 30                    )
 31                    or regex.icontains(file.parse_text(.,
 32                                                       encodings=[
 33                                                         "ascii",
 34                                                         "utf8",
 35                                                         "utf16-le"
 36                                                       ]
 37                                       ).text,
 38                                       '<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
 39                    )
 40                    or any(beta.scan_base64(file.parse_text(.).text,
 41                                            encodings=[
 42                                              "ascii",
 43                                              "utf8",
 44                                              "utf16-le"
 45                                            ]
 46                           ),
 47                           strings.ilike(.,
 48                                         "*onload*",
 49                                         "*window.location.href*",
 50                                         "*onerror*",
 51                                         "*CDATA*",
 52                                         "*<script*",
 53                                         "*</script*",
 54                                         "*atob*",
 55                                         '*location.assign*',
 56                                         '*decodeURIComponent*'
 57                           )
 58                    )
 59                  )
 60                  or (
 61                    (
 62                      .file_extension in $file_extensions_common_archives
 63                      or .file_type == "gz"
 64                      or .content_type == "application/x-gzip"
 65                    )
 66                    and any(file.explode(.),
 67                            (
 68                              .file_extension in~ ("svg", "svgz")
 69                              or .flavors.mime == "image/svg+xml"
 70                            )
 71                            and any(.scan.strings.strings,
 72                                    strings.ilike(.,
 73                                                  "*onload*",
 74                                                  "*window.location.href*",
 75                                                  "*onerror*",
 76                                                  "*CDATA*",
 77                                                  "*<script*",
 78                                                  "*</script*",
 79                                                  "*atob*",
 80                                                  "*location.assign*",
 81                                                  "*decodeURIComponent*"
 82                                    )
 83                            )
 84                    )
 85                  )
 86                )
 87            )
 88          )
 89  )  
 90attack_types:
 91  - "Credential Phishing"
 92  - "Malware/Ransomware"
 93tactics_and_techniques:
 94  - "Scripting"
 95  - "Evasion"
 96detection_methods:
 97  - "File analysis"
 98  - "Javascript analysis"
 99  - "Sender analysis"
100id: "dfafb78f-f22b-5675-a54b-3d5602ae31ea"
to-top