Attachment: EML file with HTML attachment (unsolicited)
Detects HTML files in EML attachments from unsolicited senders.
Reduces attack surface against HTML smuggling.
Sublime rule (View on GitHub)
1name: "Attachment: EML file with HTML attachment (unsolicited)"
2description: |
3 Detects HTML files in EML attachments from unsolicited senders.
4
5 Reduces attack surface against HTML smuggling.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10
11 // has EML attachment
12 and any(attachments,
13 (.file_extension == "eml" or .content_type == "message/rfc822")
14 and any(file.parse_eml(.).attachments,
15 // HTML file inside EML attachment
16 // we've seen files named ".htm.", which results in an empty
17 // .file_extension, so instead we look at .file_name
18 // they should be rare enough in EML attachments to not cause
19 // extraneous FPs
20 strings.ilike(.file_name, "*htm*")
21 or .file_type == "html"
22 or any(file.explode(.), .flavors.mime == "text/html")
23 )
24 )
25
26 // exclude bounce backs & read receipts
27 and not strings.like(sender.email.local_part,
28 "*postmaster*",
29 "*mailer-daemon*",
30 "*administrator*"
31 )
32 and not regex.icontains(subject.subject, "^(undeliverable|read:)")
33 and not any(attachments, .content_type == "message/delivery-status")
34 // if the "References" is in the body of the message, it's probably a bounce
35 and not any(headers.references, strings.contains(body.html.display_text, .))
36 // unsolicited
37 and not profile.by_sender_email().solicited
38
39
40tags:
41 - "Attack surface reduction"
42attack_types:
43 - "Credential Phishing"
44 - "Malware/Ransomware"
45tactics_and_techniques:
46 - "Evasion"
47 - "HTML smuggling"
48detection_methods:
49 - "Content analysis"
50 - "File analysis"
51 - "Header analysis"
52 - "HTML analysis"
53 - "Sender analysis"
54id: "c24fd191-1685-5cb8-83ef-618225401332"