Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts

 1name: "Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts"
 2description: "Detects messages with HTML attachments containing multiple 'const' declarations while excluding legitimate Gmail messages. This is evidence of potential code injection or obfuscation techniques."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension in~ ("html", "htm", "shtml", "dhtml")
10            or .file_type == "html"
11          )
12          and strings.count(file.parse_html(.).raw, 'const') >= 7
13          and not regex.contains(file.parse_html(.).raw,
14                                 "<!-- saved from url=.{0,7}https://mail.google.com/mail/u/0/#inbox/"
15          )
16          and length(file.parse_html(.).raw) < 50000
17          // long timeouts
18          and regex.icontains(file.parse_html(.).raw,
19                              'setTimeout\(\s*(?:function\s*)?\(.*?\)\s*(?:=>\s*)?\{[\s\S]*?\},\s*\d+\);',
20                              // const delay = new Promise((resolve) => setTimeout(resolve, 100));
21                              'setTimeout\(\s*\w+\,\s*\d{3,}\)+;'
22          )
23  )
24  
25  // negate highly trusted sender domains unless they fail DMARC authentication or DMARC is missing
26  and not (
27    sender.email.domain.root_domain in $high_trust_sender_root_domains
28    and coalesce(headers.auth_summary.dmarc.pass, false)
29  )  
30attack_types:
31  - "Malware/Ransomware"
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "HTML smuggling"
35  - "Scripting"
36  - "Evasion"
37detection_methods:
38  - "HTML analysis"
39  - "File analysis"
40  - "Content analysis"
41id: "66f8a07a-5f0f-5a99-976c-a81d2de8b406"