Attachment: EML file with HTML attachment (unsolicited)
Detects HTML files in EML attachments from unsolicited senders.
Reduces attack surface against HTML smuggling.
Sublime rule (View on GitHub)
1name: "Attachment: EML file with HTML attachment (unsolicited)"
2description: |
3 Detects HTML files in EML attachments from unsolicited senders.
4
5 Reduces attack surface against HTML smuggling.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10
11 // has EML attachment
12 and any(attachments,
13 .content_type == "message/rfc822"
14 and any(file.explode(.),
15
16 // HTML file inside EML attachment
17 // we've seen files named ".htm.", which results in an empty
18 // .file_extension, so instead we look at .file_name
19 // they should be rare enough in EML attachments to not cause
20 // extraneous FPs
21 strings.ilike(.file_name, "*htm*")
22
23 // optional: we can add additional signals here if necessary
24 // identify at least one additional suspicious signal in the message
25 // and (
26 // // html smuggling signals
27 // any(.scan.javascript.identifiers, . == "unescape") or
28 // any(.scan.strings.strings, regex.icontains(., "eval")) or
29 // // more signals here if needed
30
31 // // commonly abused sender TLD
32 // strings.ilike(sender.email.domain.tld, "*.jp")
33 // )
34 )
35 )
36
37 // exclude bounce backs & read receipts
38 and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
39 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
40 and not any(attachments, .content_type == "message/delivery-status")
41 // if the "References" is in the body of the message, it's probably a bounce
42 and not any(headers.references, strings.contains(body.html.display_text, .))
43 and (
44 profile.by_sender().prevalence in ("new", "outlier")
45 or profile.by_sender().any_messages_malicious_or_spam
46 )
47 and not profile.by_sender().any_false_positives
48tags:
49 - "Attack surface reduction"
50attack_types:
51
52 - "Credential Phishing"
53 - "Malware/Ransomware"
54tactics_and_techniques:
55 - "Evasion"
56 - "HTML smuggling"
57detection_methods:
58 - "Content analysis"
59 - "File analysis"
60 - "Header analysis"
61 - "HTML analysis"
62 - "Sender analysis"
63id: "c24fd191-1685-5cb8-83ef-618225401332"