Attachment: HTML file with excessive padding and suspicious patterns
Attached HTML file contains excessive line breaks and suspicious Javascript patterns.
Sublime rule (View on GitHub)
1name: "Attachment: HTML file with excessive padding and suspicious patterns"
2description: |
3 Attached HTML file contains excessive line breaks and suspicious Javascript patterns.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 (
10 .content_type == "text/html"
11 or .file_extension in~ ("html", "htm", "shtml", "dhtml")
12 or .file_type == "html"
13 )
14 and any(file.explode(.), any(.scan.yara.matches, .name == "HTML_EXCESSIVE_PADDING"))
15 )
16attack_types:
17 - "Credential Phishing"
18 - "Malware/Ransomware"
19tactics_and_techniques:
20 - "Evasion"
21 - "HTML smuggling"
22detection_methods:
23 - "File analysis"
24 - "HTML analysis"
25 - "YARA"
26id: "0a6aee1e-df58-5f1e-8f49-477ed61babe5"