Attachment: EML file with HTML attachment (unsolicited)
Detects HTML files in EML attachments from unsolicited senders.
Reduces attack surface against HTML smuggling.
Sublime rule (View on GitHub)
1name: "Attachment: EML file with HTML attachment (unsolicited)"
2description: |
3 Detects HTML files in EML attachments from unsolicited senders.
4
5 Reduces attack surface against HTML smuggling.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10
11 // has EML attachment
12 and any(attachments,
13 .content_type == "message/rfc822"
14 and any(file.explode(.),
15
16 // HTML file inside EML attachment
17 // we've seen files named ".htm.", which results in an empty
18 // .file_extension, so instead we look at .file_name
19 // they should be rare enough in EML attachments to not cause
20 // extraneous FPs
21 strings.ilike(.file_name, "*htm*")
22
23 // optional: we can add additional signals here if necessary
24 // identify at least one additional suspicious signal in the message
25 // and (
26 // // html smuggling signals
27 // any(.scan.javascript.identifiers, . == "unescape") or
28 // any(.scan.strings.strings, regex.icontains(., "eval")) or
29 // // more signals here if needed
30
31 // // commonly abused sender TLD
32 // strings.ilike(sender.email.domain.tld, "*.jp")
33 // )
34 )
35 )
36
37 // exclude bounce backs & read receipts
38 and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
39 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
40 and not any(attachments, .content_type == "message/delivery-status")
41 // if the "References" is in the body of the message, it's probably a bounce
42 and not any(headers.references, strings.contains(body.html.display_text, .))
43
44 // unsolicited
45 and (
46 (
47 sender.email.domain.root_domain in $free_email_providers
48 and sender.email.email not in $recipient_emails
49 )
50 or (
51 sender.email.domain.root_domain not in $free_email_providers
52 and sender.email.domain.domain not in $recipient_domains
53 )
54 )
55tags:
56 - "Attack surface reduction"
57attack_types:
58 - "Credential Phishing"
59 - "Malware/Ransomware"
60tactics_and_techniques:
61 - "Evasion"
62 - "HTML smuggling"
63detection_methods:
64 - "Content analysis"
65 - "File analysis"
66 - "Header analysis"
67 - "HTML analysis"
68 - "Sender analysis"
69id: "c24fd191-1685-5cb8-83ef-618225401332"