Attachment: HTML file with reference to recipient and suspicious patterns

Attached HTML file contains references to the recipients email address, indicative of credential phishing, and suspicious Javascript patterns.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML file with reference to recipient and suspicious patterns"
 2description: |
 3    Attached HTML file contains references to the recipients email address, indicative of credential phishing, and suspicious Javascript patterns.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .content_type == "text/html"
11            or .file_extension in~ ("html", "htm", "shtml", "dhtml")
12            or .file_type == "html"
13          )
14          and any(file.explode(.),
15                  .flavors.mime in~ ("text/html", "text/plain")
16                  and any(recipients.to,
17                          any(..scan.strings.strings,
18                              strings.icontains(., ..email.email)
19                          )
20                          and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
21                  )
22          )
23          and any(file.explode(.),
24                  (
25                    any(.flavors.yara, . == "javascript_file")
26                    // common indicator of HTML smuggling
27                    and length(filter(.scan.javascript.identifiers, strings.ilike(., "_0x*"))) > 50
28                  )
29                  or (
30                    // javascript that doesn't get pulled out properly
31                    .flavors.mime == "text/plain"
32                    and strings.ilike(.file_name, "script*")
33                    // common indicator of HTML smuggling
34                    and length(filter(.scan.strings.strings, regex.imatch(., ".*_0x.*"))) > 50
35                  )
36          )
37  )  
38attack_types:
39  - "Credential Phishing"
40tactics_and_techniques:
41  - "HTML smuggling"
42  - "Scripting"
43detection_methods:
44  - "Content analysis"
45  - "File analysis"
46  - "HTML analysis"
47  - "Javascript analysis"
48  - "YARA"
49id: "5333493d-48a8-532d-a621-d278a59bbf9b"
to-top