Attachment: EML file with HTML attachment (unsolicited)

Detects HTML files in EML attachments from unsolicited senders.

Reduces attack surface against HTML smuggling.

Sublime rule (View on GitHub)

 1name: "Attachment: EML file with HTML attachment (unsolicited)"
 2description: |
 3  Detects HTML files in EML attachments from unsolicited senders.
 4
 5  Reduces attack surface against HTML smuggling.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10
11  // has EML attachment
12  and any(attachments,
13          .content_type == "message/rfc822"
14          and any(file.explode(.),
15
16                  // HTML file inside EML attachment
17                  // we've seen files named ".htm.", which results in an empty
18                  // .file_extension, so instead we look at .file_name
19                  // they should be rare enough in EML attachments to not cause
20                  // extraneous FPs
21                  strings.ilike(.file_name, "*htm*")
22
23          // optional: we can add additional signals here if necessary
24          // identify at least one additional suspicious signal in the message
25          // and (
26          //     // html smuggling signals
27          //     any(.scan.javascript.identifiers, . == "unescape") or
28          //     any(.scan.strings.strings, regex.icontains(., "eval")) or
29          //     // more signals here if needed
30
31          //     // commonly abused sender TLD
32          //     strings.ilike(sender.email.domain.tld, "*.jp")
33          // )
34          )
35  )
36
37  // exclude bounce backs & read receipts
38  and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
39  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
40  and not any(attachments, .content_type == "message/delivery-status")
41  // if the "References" is in the body of the message, it's probably a bounce
42  and not any(headers.references, strings.contains(body.html.display_text, .))
43
44  // unsolicited
45  and (
46    (
47      sender.email.domain.root_domain in $free_email_providers
48      and sender.email.email not in $recipient_emails
49    )
50    or (
51      sender.email.domain.root_domain not in $free_email_providers
52      and sender.email.domain.domain not in $recipient_domains
53    )
54  )  
55tags:
56  - "Attack surface reduction"
57attack_types:
58  - "Credential Phishing"
59  - "Malware/Ransomware"
60tactics_and_techniques:
61  - "Evasion"
62  - "HTML smuggling"
63detection_methods:
64  - "Content analysis"
65  - "File analysis"
66  - "Header analysis"
67  - "HTML analysis"
68  - "Sender analysis"
69id: "c24fd191-1685-5cb8-83ef-618225401332"

Related rules

to-top