Attachment: HTML with obfuscation and recipient's email in JavaScript strings

Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript

Sublime rule (View on GitHub)

 1name: "Attachment: HTML with obfuscation and recipient's email in JavaScript strings"
 2description: |
 3    Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
11            or (
12              .file_extension is null
13              and .file_type == "unknown"
14              and .content_type == "application/octet-stream"
15            )
16            or .file_extension in~ $file_extensions_common_archives
17            or .file_type == "html"
18            or .content_type == "text/html"
19          )
20          and .size < 1000000
21          and any(file.explode(.),
22                  // suspicious identifiers
23                  any([.scan.strings.strings, .scan.javascript.identifiers],
24                      any(., strings.like(., "*atob*", "*decrypt*"))
25                  )
26          )
27          // Recipients address found in javascript
28          and any(file.explode(.),
29                  (
30                    any(recipients.to,
31                        (
32                          any(..scan.javascript.strings,
33                              strings.icontains(., ..email.email)
34                          )
35                          or any(..scan.strings.strings,
36                                 strings.icontains(., ..email.email)
37                          )
38                        )
39                        and (
40                          .email.domain.valid
41                          or strings.icontains(.display_name, "undisclosed")
42                        )
43                    )
44                  )
45          )
46          // Negating Cisco Secure Email Encryption
47          and not any(file.explode(.),
48                      any(.scan.javascript.strings,
49                          strings.contains(., "Cisco Registered Envelope Service")
50                          or strings.contains(., "https://res.cisco.com:443")
51                      )
52          )
53  )  
54
55attack_types:
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "HTML smuggling"
59  - "Scripting"
60detection_methods:
61  - "Archive analysis"
62  - "File analysis"
63  - "HTML analysis"
64  - "Javascript analysis"
65id: "1aff486b-527c-597c-9ca9-3be37210fd97"
to-top