Attachment: EML file with HTML attachment (unsolicited)
Detects HTML files in EML attachments from unsolicited senders.
Reduces attack surface against HTML smuggling.
Sublime rule (View on GitHub)
1name: "Attachment: EML file with HTML attachment (unsolicited)"
2description: |
3 Detects HTML files in EML attachments from unsolicited senders.
4
5 Reduces attack surface against HTML smuggling.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10
11 // has EML attachment
12 and any(attachments,
13 (.file_extension == "eml" or .content_type == "message/rfc822")
14 and any(file.parse_eml(.).attachments,
15 // HTML file inside EML attachment
16 // we've seen files named ".htm.", which results in an empty
17 // .file_extension, so instead we look at .file_name
18 // they should be rare enough in EML attachments to not cause
19 // extraneous FPs
20 strings.ilike(.file_name, "*htm*")
21 or .file_type == "html"
22 or any(file.explode(.), .flavors.mime == "text/html")
23 )
24 )
25
26 // exclude bounce backs & read receipts
27 and not strings.like(sender.email.local_part,
28 "*postmaster*",
29 "*mailer-daemon*",
30 "*administrator*"
31 )
32 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
33 and not any(attachments, .content_type == "message/delivery-status")
34 // if the "References" is in the body of the message, it's probably a bounce
35 and not any(headers.references, strings.contains(body.html.display_text, .))
36 and not profile.by_sender().any_false_positives
37
38tags:
39 - "Attack surface reduction"
40attack_types:
41 - "Credential Phishing"
42 - "Malware/Ransomware"
43tactics_and_techniques:
44 - "Evasion"
45 - "HTML smuggling"
46detection_methods:
47 - "Content analysis"
48 - "File analysis"
49 - "Header analysis"
50 - "HTML analysis"
51 - "Sender analysis"
52id: "c24fd191-1685-5cb8-83ef-618225401332"