Attachment: EML file with HTML attachment (unsolicited)

calendar Nov 14, 2023 · Attack surface reduction  ·
Share on: linkedin copy

Detects HTML files in EML attachments from unsolicited senders.

Reduces attack surface against HTML smuggling.

Sublime rule (View on GitHub)

 1name: "Attachment: EML file with HTML attachment (unsolicited)"
 2description: |
 3  Detects HTML files in EML attachments from unsolicited senders.
 4
 5  Reduces attack surface against HTML smuggling.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10
11  // has EML attachment
12  and any(attachments,
13          .content_type == "message/rfc822"
14          and any(file.explode(.),
15
16                  // HTML file inside EML attachment
17                  // we've seen files named ".htm.", which results in an empty
18                  // .file_extension, so instead we look at .file_name
19                  // they should be rare enough in EML attachments to not cause
20                  // extraneous FPs
21                  strings.ilike(.file_name, "*htm*")
22
23          // optional: we can add additional signals here if necessary
24          // identify at least one additional suspicious signal in the message
25          // and (
26          //     // html smuggling signals
27          //     any(.scan.javascript.identifiers, . == "unescape") or
28          //     any(.scan.strings.strings, regex.icontains(., "eval")) or
29          //     // more signals here if needed
30
31          //     // commonly abused sender TLD
32          //     strings.ilike(sender.email.domain.tld, "*.jp")
33          // )
34          )
35  )
36
37  // exclude bounce backs & read receipts
38  and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
39  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
40  and not any(attachments, .content_type == "message/delivery-status")
41  // if the "References" is in the body of the message, it's probably a bounce
42  and not any(headers.references, strings.contains(body.html.display_text, .))
43  and (
44    profile.by_sender().prevalence in ("new", "outlier")
45    or profile.by_sender().any_messages_malicious_or_spam
46  )
47  and not profile.by_sender().any_false_positives  
48tags:
49  - "Attack surface reduction"
50attack_types:
51
52  - "Credential Phishing"
53  - "Malware/Ransomware"
54tactics_and_techniques:
55  - "Evasion"
56  - "HTML smuggling"
57detection_methods:
58  - "Content analysis"
59  - "File analysis"
60  - "Header analysis"
61  - "HTML analysis"
62  - "Sender analysis"
63id: "c24fd191-1685-5cb8-83ef-618225401332"

Related rules

to-top