Attachment: HTML With Emoji-to-Character Map

 1name: "Attachment: HTML With Emoji-to-Character Map"
 2description: "Detects inbound messages containing HTML attachments with an unusually high number of emojis in a list, sent from untrusted or suspicious senders who lack an established sending history or have previous malicious behavior."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension in~ ("html", "htm", "shtml", "dhtml")
10            or .file_type == "html"
11            or .content_type in ("application/octet-stream", "text/html")
12          )
13          and regex.icount(file.parse_html(.).raw,
14                           '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}].{0,10},'
15          ) > 10
16  )
17  and (
18    (
19      profile.by_sender().prevalence in ("new", "outlier")
20      and not profile.by_sender().solicited
21    )
22    or profile.by_sender().any_messages_malicious_or_spam
23  )
24  and not profile.by_sender().any_false_positives
25  
26  // negate highly trusted sender domains unless they fail DMARC authentication
27  and (
28    (
29      sender.email.domain.root_domain in $high_trust_sender_root_domains
30      and not headers.auth_summary.dmarc.pass
31    )
32    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
33  )  
34
35attack_types:
36  - "Credential Phishing"
37tactics_and_techniques:
38  - "Evasion"
39  - "HTML smuggling"
40  - "Impersonation: Brand"
41  - "Scripting"
42  - "Social engineering"
43detection_methods:
44  - "File analysis"
45  - "HTML analysis"
46  - "Javascript analysis"
47  - "Sender analysis"
48id: "3119d086-13b9-549c-85b9-8117beaded4a"