Attachment: HTML with JavaScript Functions for HTTP requests
This rule identifies HTML attachments which contain multiple references to JavaScript functions that support making HTTP requests. This has been observed in phishing campaigns to load remote payloads into otherwise benign HTML attachments.
Sublime rule (View on GitHub)
1name: "Attachment: HTML with JavaScript Functions for HTTP requests"
2description: "This rule identifies HTML attachments which contain multiple references to JavaScript functions that support making HTTP requests. This has been observed in phishing campaigns to load remote payloads into otherwise benign HTML attachments."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and not profile.by_sender().solicited
8 // not high trust sender domains
9 and (
10 (
11 sender.email.domain.root_domain in $high_trust_sender_root_domains
12 and not headers.auth_summary.dmarc.pass
13 )
14 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
15 )
16 and any(attachments,
17 .file_extension in~ ("html", "htm", "shtml", "dhtml")
18 and 3 of (
19 strings.icontains(file.parse_html(.).raw, '.replace'),
20 strings.icontains(file.parse_html(.).raw, 'XMLHttpRequest'),
21 strings.icontains(file.parse_html(.).raw, 'onreadystate'),
22 strings.icontains(file.parse_html(.).raw, 'GET'),
23 strings.icontains(file.parse_html(.).raw, 'send()'),
24 strings.icontains(file.parse_html(.).raw, 'responseText'),
25 )
26 )
27
28attack_types:
29 - "Credential Phishing"
30tactics_and_techniques:
31 - "Evasion"
32 - "Scripting"
33detection_methods:
34 - "Content analysis"
35 - "HTML analysis"
36 - "Javascript analysis"
37 - "File analysis"
38id: "01e679fd-6c5a-542f-b98b-1b8de7132311"