Attachment: HTML with obfuscation and recipient's email in JavaScript strings
Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript
Sublime rule (View on GitHub)
1name: "Attachment: HTML with obfuscation and recipient's email in JavaScript strings"
2description: |
3 Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 (
10 .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
11 or (
12 .file_extension is null
13 and .file_type == "unknown"
14 and .content_type == "application/octet-stream"
15 )
16 or .file_extension in~ $file_extensions_common_archives
17 or .file_type == "html"
18 or .content_type == "text/html"
19 )
20 and .size < 1000000
21 and any(file.explode(.),
22 // suspicious identifiers
23 any([.scan.strings.strings, .scan.javascript.identifiers],
24 any(., strings.like(., "*atob*", "*decrypt*"))
25 )
26 )
27 // Recipients address found in javascript
28 and any(file.explode(.),
29 (
30 any(recipients.to,
31 (
32 any(..scan.javascript.strings,
33 strings.icontains(., ..email.email)
34 )
35 or any(..scan.strings.strings,
36 strings.icontains(., ..email.email)
37 )
38 )
39 and (
40 .email.domain.valid
41 or strings.icontains(.display_name, "undisclosed")
42 )
43 )
44 )
45 )
46 // Negating Cisco Secure Email Encryption
47 and not any(file.explode(.),
48 any(.scan.javascript.strings,
49 strings.contains(., "Cisco Registered Envelope Service")
50 or strings.contains(., "https://res.cisco.com:443")
51 )
52 )
53 )
54
55attack_types:
56 - "Credential Phishing"
57tactics_and_techniques:
58 - "HTML smuggling"
59 - "Scripting"
60detection_methods:
61 - "Archive analysis"
62 - "File analysis"
63 - "HTML analysis"
64 - "Javascript analysis"
65id: "1aff486b-527c-597c-9ca9-3be37210fd97"