Attachment: EML file with HTML attachment (unsolicited)

 1name: "Attachment: EML file with HTML attachment (unsolicited)"
 2description: |
 3  Detects HTML files in EML attachments from unsolicited senders.
 4
 5  Reduces attack surface against HTML smuggling.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  
11  // has EML attachment
12  and any(attachments,
13          (.file_extension == "eml" or .content_type == "message/rfc822")
14          and any(file.parse_eml(.).attachments,
15                  // HTML file inside EML attachment
16                  // we've seen files named ".htm.", which results in an empty
17                  // .file_extension, so instead we look at .file_name
18                  // they should be rare enough in EML attachments to not cause
19                  // extraneous FPs
20                  strings.ilike(.file_name, "*htm*")
21                  or .file_type == "html"
22                  or any(file.explode(.), .flavors.mime == "text/html")
23          )
24  )
25  
26  // exclude bounce backs & read receipts
27  and not strings.like(sender.email.local_part,
28                       "*postmaster*",
29                       "*mailer-daemon*",
30                       "*administrator*"
31  )
32  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
33  and not any(attachments, .content_type == "message/delivery-status")
34  // if the "References" is in the body of the message, it's probably a bounce
35  and not any(headers.references, strings.contains(body.html.display_text, .))
36  // unsolicited or fails authentation
37  and (
38    (
39      profile.by_sender_email().prevalence in ("new", "outlier")
40      and not profile.by_sender_email().solicited
41    )
42    or (
43      profile.by_sender_email().any_messages_malicious_or_spam
44      and not profile.by_sender_email().any_messages_benign
45    )
46    or (
47      sender.email.domain.domain in $org_domains
48      and not coalesce(headers.auth_summary.dmarc.pass, false)
49    )
50  )
51  
52  // negate highly trusted sender domains unless they fail DMARC authentication
53  and (
54    (
55      sender.email.domain.root_domain in $high_trust_sender_root_domains
56      and not coalesce(headers.auth_summary.dmarc.pass, false)
57    )
58    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
59  )  
60
61tags:
62  - "Attack surface reduction"
63attack_types:
64  - "Credential Phishing"
65  - "Malware/Ransomware"
66tactics_and_techniques:
67  - "Evasion"
68  - "HTML smuggling"
69detection_methods:
70  - "Content analysis"
71  - "File analysis"
72  - "Header analysis"
73  - "HTML analysis"
74  - "Sender analysis"
75id: "c24fd191-1685-5cb8-83ef-618225401332"