Attachment: HTML smuggling with atob and high entropy

 1name: "Attachment: HTML smuggling with atob and high entropy"
 2description: |
 3    Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.
 4references:
 5  - "https://delivr.to/payloads?id=7dbf0d83-1557-4345-bf67-d18c4256b0c1"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            .file_extension in~ ("html", "htm", "shtml", "dhtml", "eml")
13            or .file_extension in~ $file_extensions_common_archives
14            or .file_type == "html"
15            or .content_type == "message/rfc822"
16          )
17          and any(file.explode(.),
18                  .scan.entropy.entropy >= 5
19                  and (
20                    length(filter(.scan.javascript.identifiers,
21                                  strings.like(., "document", "write", "atob")
22                           )
23                    ) == 3
24                    // usage: document['write'](atob)
25                    or any(.scan.strings.strings, regex.icontains(., "document.{0,10}write.{0,10}atob"))
26                    // usage: some_var = atob();
27                    or any(.scan.strings.strings, regex.icontains(., "=.?atob.*;"))
28                    // usage: atob(atob
29                    or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
30                    // usage: {src: atob
31                    or any(.scan.strings.strings, strings.ilike(., "*{src: atob*"))
32                    // usage: eval(atob)
33                    or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
34                      // usage: atob(_0x)
35                    or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
36                    // usage : 'at'+'ob'
37                    or any(.scan.strings.strings, strings.ilike(., "*'at'+'ob'*"))
38                    // usage: obfuscating "atob"
39                    or any(.scan.javascript.identifiers, strings.ilike(., '*ato\u0062*'))
40                    // usage: document.head.insertAdjacentHTML("beforeend", atob(...
41                    or any(.scan.strings.strings,
42                           strings.ilike(.,
43                                         "*document*insertAdjacentHTML*atob*"
44                           )
45                    )
46                  )
47          )
48  )
49  // negate bouncebacks and undeliverables
50  and not any(attachments,
51              .content_type in (
52                "message/global-delivery-status",
53                "message/delivery-status"
54              )
55  )
56  // negate highly trusted sender domains unless they fail DMARC authentication
57  and (
58    (
59      sender.email.domain.root_domain in $high_trust_sender_root_domains
60      and not headers.auth_summary.dmarc.pass
61    )
62    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
63  )  
64
65attack_types:
66  - "Credential Phishing"
67  - "Malware/Ransomware"
68tactics_and_techniques:
69  - "HTML smuggling"
70  - "Scripting"
71detection_methods:
72  - "Archive analysis"
73  - "Content analysis"
74  - "File analysis"
75  - "HTML analysis"
76  - "Javascript analysis"
77  - "Sender analysis"
78  - "URL analysis"
79id: "03fcac11-ffc9-5a9c-9e1e-c866e683b48e"