Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts

 1name: "Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts"
 2description: "Detects messages with HTML attachments containing multiple 'const' declarations while excluding legitimate Gmail messages. This is evidence of potential code injection or obfuscation techniques."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension in~ ("html", "htm", "shtml", "dhtml")
10            or .file_type == "html"
11          )
12          and strings.count(file.parse_html(.).raw, 'const') >= 7
13          and not regex.contains(file.parse_html(.).raw,
14                                 "<!-- saved from url=.{0,7}https://mail.google.com/mail/u/0/#inbox/"
15          )
16          and length(file.parse_html(.).raw) < 50000
17          // long timeouts
18          and regex.icontains(file.parse_html(.).raw,
19                              'setTimeout\(\s*(?:function\s*)?\(.*?\)\s*(?:=>\s*)?\{[\s\S]*?\},\s*\d+\);',
20                              // const delay = new Promise((resolve) => setTimeout(resolve, 100));
21                              'setTimeout\(\s*\w+\,\s*\d{3,}\)+;'
22          )
23  )
24  
25  // and the sender is not from high trust sender root domains
26  and (
27    (
28      sender.email.domain.root_domain in $high_trust_sender_root_domains
29      and not headers.auth_summary.dmarc.pass
30    )
31    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
32  )  
33attack_types:
34  - "Malware/Ransomware"
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "HTML smuggling"
38  - "Scripting"
39  - "Evasion"
40detection_methods:
41  - "HTML analysis"
42  - "File analysis"
43  - "Content analysis"
44id: "66f8a07a-5f0f-5a99-976c-a81d2de8b406"