Attachment: HTML with obfuscation and recipient's email in JavaScript strings
Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript
Sublime rule (View on GitHub)
1name: "Attachment: HTML with obfuscation and recipient's email in JavaScript strings"
2description: |
3 Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 (
10 .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
11 or (
12 .file_extension is null
13 and .file_type == "unknown"
14 and .content_type == "application/octet-stream"
15 )
16 or .file_extension in~ $file_extensions_common_archives
17 or .file_type == "html"
18 or .content_type == "text/html"
19 )
20 and any(file.explode(.),
21 // suspicious identifiers
22 any([.scan.strings.strings, .scan.javascript.identifiers],
23 any(., strings.like(., "*atob*", "*decrypt*"))
24 )
25 )
26 // Recipients address found in javascript
27 and any(file.explode(.),
28 any(recipients.to,
29 any(..scan.javascript.strings, strings.icontains(., ..email.email)) and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
30 )
31
32 // Negating Cisco Secure Email Encryption
33 and not any(.scan.javascript.strings,
34 strings.contains(., "Cisco Registered Envelope Service")
35 and not strings.contains(., "https://res.cisco.com:443")
36 )
37 )
38 )
39
40attack_types:
41 - "Credential Phishing"
42tactics_and_techniques:
43 - "HTML smuggling"
44 - "Scripting"
45detection_methods:
46 - "Archive analysis"
47 - "File analysis"
48 - "HTML analysis"
49 - "Javascript analysis"
50id: "1aff486b-527c-597c-9ca9-3be37210fd97"