Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
Attached HTML file contains excessive string concatenation, a recipient's email address, and an indicator of HTML smuggling. This pattern has been seen in the wild in an attempt to obfuscate the file's contents.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with excessive string concatenation and suspicious patterns"
2description: "Attached HTML file contains excessive string concatenation, a recipient's email address, and an indicator of HTML smuggling. This pattern has been seen in the wild in an attempt to obfuscate the file's contents."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(attachments,
8 // HTML file, or something like it
9 (
10 .file_extension in~ ("html", "htm", "shtml", "dhtml")
11 or (
12 .file_extension is null
13 and .file_type == "unknown"
14 and .content_type == "application/octet-stream"
15 and .size < 100000000
16 )
17 or .file_type == "html"
18 )
19
20 // small HTML file
21 and .size < 5000
22
23 // lots of concatenation (obfuscation technique)
24 and strings.count(file.parse_html(.).raw, "+") > 20
25
26 // contains a recipient's email address
27 and any(recipients.to,
28 strings.icontains(file.parse_html(..).raw, .email.email)
29 and .email.domain.valid
30 )
31
32 // HTML smuggling
33 and 1 of (
34 strings.ilike(file.parse_html(.).raw, "*window.location.href*"),
35 strings.ilike(file.parse_html(.).raw, "*createObjectURL*")
36 )
37 )
38
39attack_types:
40 - "Credential Phishing"
41tactics_and_techniques:
42 - "Evasion"
43 - "HTML smuggling"
44 - "Scripting"
45 - "Social engineering"
46detection_methods:
47 - "File analysis"
48 - "HTML analysis"
49 - "Javascript analysis"
50id: "e34fce8d-e454-5090-99c6-bc66e1023957"