Attachment: EML file with HTML attachment (unsolicited)
Detects HTML files in EML attachments from unsolicited senders.
Reduces attack surface against HTML smuggling.
Sublime rule (View on GitHub)
1name: "Attachment: EML file with HTML attachment (unsolicited)"
2description: |
3 Detects HTML files in EML attachments from unsolicited senders.
4
5 Reduces attack surface against HTML smuggling.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10
11 // has EML attachment
12 and any(attachments,
13 (.file_extension == "eml" or .content_type == "message/rfc822")
14 and any(file.parse_eml(.).attachments,
15 // HTML file inside EML attachment
16 // we've seen files named ".htm.", which results in an empty
17 // .file_extension, so instead we look at .file_name
18 // they should be rare enough in EML attachments to not cause
19 // extraneous FPs
20 strings.ilike(.file_name, "*htm*")
21 or .file_type == "html"
22 or any(file.explode(.), .flavors.mime == "text/html")
23 )
24 )
25
26 // exclude bounce backs & read receipts
27 and not strings.like(sender.email.local_part,
28 "*postmaster*",
29 "*mailer-daemon*",
30 "*administrator*"
31 )
32 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
33 and not any(attachments, .content_type == "message/delivery-status")
34 // if the "References" is in the body of the message, it's probably a bounce
35 and not any(headers.references, strings.contains(body.html.display_text, .))
36 // unsolicited or fails authentation
37 and (
38 (
39 profile.by_sender_email().prevalence in ("new", "outlier")
40 and not profile.by_sender_email().solicited
41 )
42 or (
43 profile.by_sender_email().any_messages_malicious_or_spam
44 and not profile.by_sender_email().any_messages_benign
45 )
46 or (
47 sender.email.domain.domain in $org_domains
48 and not coalesce(headers.auth_summary.dmarc.pass, false)
49 )
50 )
51
52 // negate highly trusted sender domains unless they fail DMARC authentication
53 and (
54 (
55 sender.email.domain.root_domain in $high_trust_sender_root_domains
56 and not coalesce(headers.auth_summary.dmarc.pass, false)
57 )
58 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
59 )
60
61tags:
62 - "Attack surface reduction"
63attack_types:
64 - "Credential Phishing"
65 - "Malware/Ransomware"
66tactics_and_techniques:
67 - "Evasion"
68 - "HTML smuggling"
69detection_methods:
70 - "Content analysis"
71 - "File analysis"
72 - "Header analysis"
73 - "HTML analysis"
74 - "Sender analysis"
75id: "c24fd191-1685-5cb8-83ef-618225401332"