Attachment: HTML with Hidden Body

calendar Jun 24, 2024  ·
Share on: linkedin copy

This rule identifies HTML attachments which begin directly with a hidden body element. This has been observed in phishing campaigns to hide the content of an otherwise benign HTML attachment that then has remote content injected into the body.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML with Hidden Body"
 2description: "This rule identifies HTML attachments which begin directly with a hidden body element.  This has been observed in phishing campaigns to hide the content of an otherwise benign HTML attachment that then has remote content injected into the body."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and not profile.by_sender().solicited
 8  // not high trust sender domains
 9  and (
10    (
11      sender.email.domain.root_domain in $high_trust_sender_root_domains
12      and not headers.auth_summary.dmarc.pass
13    )
14    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
15  )
16  and any(attachments,
17          .file_extension == "html"
18          // starts with the hidden body element
19          and regex.icontains(file.parse_html(.).raw,
20                                  '^<body style\s*=\s*"\s*display\s*:\s*none\s*;\s*">'
21          )
22  )  
23
24attack_types:
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "Evasion"
28  - "Scripting"
29detection_methods:
30  - "Content analysis"
31  - "HTML analysis"
32  - "File analysis"
33id: "b059a781-b681-5c84-98ba-416deb165555"
to-top