Attachment: HTML Attachment with Login Portal Indicators
Recursively scans files and archives to detect indicators of login portals implemented in HTML files. This is a known credential theft technique used by threat actors.
Sublime rule (View on GitHub)
1name: "Attachment: HTML Attachment with Login Portal Indicators"
2description: |
3 Recursively scans files and archives to detect indicators of login portals implemented in HTML files. This is a known credential theft technique used by threat actors.
4references:
5 - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/html-file-attachments-still-a-threat/"
6 - "https://app.any.run/tasks/6bd34bda-91ef-4d13-847c-81d7787dc763/"
7 - "https://playground.sublimesecurity.com?id=6cd813e4-085b-4229-ad15-d2194cdbb91b"
8type: "rule"
9severity: "medium"
10authors:
11 - twitter: "ajpc500"
12source: |
13 type.inbound
14 and any(attachments,
15 (
16 .file_extension in~ ("html", "htm", "shtml", "dhtml")
17 or .file_extension in~ $file_extensions_common_archives
18 or .file_type == "html"
19 )
20 and any(file.explode(.),
21 // suspicious strings found in javascript
22 (
23 length(filter(.scan.javascript.strings, strings.ilike(., "*password*", ))) >= 2
24 and 2 of (
25 any(.scan.javascript.strings, strings.ilike(., "*incorrect*")),
26 any(.scan.javascript.strings, strings.ilike(., "*invalid*")),
27 any(.scan.javascript.strings, strings.ilike(., "*login*")),
28 any(.scan.javascript.strings, regex.icontains(., "sign.in")),
29 )
30 )
31 or (
32 // suspicious strings found outside of javascript, but binexplode'd file still of HTML type
33 length(filter(.scan.strings.strings, strings.ilike(., "*password*", ))) >= 2
34 and 2 of (
35 any(.scan.strings.strings, strings.ilike(., "*incorrect*")),
36 any(.scan.strings.strings, strings.ilike(., "*invalid*")),
37 any(.scan.strings.strings, strings.ilike(., "*login*")),
38 any(.scan.strings.strings, strings.ilike(., "*<script>*")),
39 any(.scan.strings.strings, regex.icontains(., "sign.in")),
40 any(.scan.strings.strings,
41 regex.icontains(.,
42 '<title>.[^<]+(Payment|Invoice|Statement|Login|Microsoft|Email|Excel)'
43 )
44 )
45 )
46 )
47 or
48 //Known phishing obfuscation
49 2 of (
50 // Enter password
51 any(.scan.strings.strings,
52 strings.ilike(.,
53 "*Enter password*"
54 )
55 ),
56
57 // Forgotten my password
58 any(.scan.strings.strings,
59 strings.ilike(.,
60 "*Forgotten my password*"
61 )
62 ),
63
64 // Sign in
65 any(.scan.strings.strings,
66 strings.ilike(., "*Sign in*")
67 )
68 )
69 )
70 )
71 // Unsolicited
72 and (
73 (
74 sender.email.domain.root_domain in $free_email_providers
75 and sender.email.email not in $recipient_emails
76 )
77 or (
78 sender.email.domain.root_domain not in $free_email_providers
79 and sender.email.domain.domain not in $recipient_domains
80 )
81 )
82attack_types:
83 - "Credential Phishing"
84tactics_and_techniques:
85 - "HTML smuggling"
86 - "Scripting"
87detection_methods:
88 - "Archive analysis"
89 - "File analysis"
90 - "HTML analysis"
91 - "Javascript analysis"
92 - "Sender analysis"
93id: "3aabf4a7-fefa-5266-83fe-012002c9db4a"