Attachment: HTML smuggling with atob and high entropy

 1name: "Attachment: HTML smuggling with atob and high entropy"
 2description: |
 3    Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.
 4references:
 5  - "https://delivr.to/payloads?id=7dbf0d83-1557-4345-bf67-d18c4256b0c1"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            .file_extension in~ ("html", "htm", "shtml", "dhtml", "eml")
13            or .file_extension in~ $file_extensions_common_archives
14            or .file_type == "html"
15            or .content_type == "message/rfc822"
16            or .file_extension in ('eml')
17          )
18          and any(file.explode(.),
19                  .scan.entropy.entropy >= 5
20                  and (
21                    length(filter(.scan.javascript.identifiers,
22                                  strings.like(., "document", "write", "atob")
23                           )
24                    ) == 3
25                    // usage: document['write'](atob)
26                    or any(.scan.strings.strings,
27                           regex.icontains(., "document.{0,10}write.{0,10}atob")
28                    )
29                    // usage: some_var = atob();
30                    or any(.scan.strings.strings,
31                           regex.icontains(., "=.?atob.*;")
32                    )
33                    // usage: atob(atob
34                    or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
35                    // usage: {src: atob
36                    or any(.scan.strings.strings,
37                           strings.ilike(., "*{src: atob*")
38                    )
39                    // usage: eval(atob)
40                    or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
41                    // usage: atob(_0x)
42                    or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
43                    // usage : 'at'+'ob'
44                    or any(.scan.strings.strings, strings.ilike(., "*'at'+'ob'*"))
45                    // usage: obfuscating "atob"
46                    or any(.scan.javascript.identifiers,
47                           strings.ilike(., '*ato\u0062*')
48                    )
49                    // usage: document.head.insertAdjacentHTML("beforeend", atob(...
50                    or any(.scan.strings.strings,
51                           strings.ilike(., "*document*insertAdjacentHTML*atob*")
52                    )
53                  )
54          )
55  )
56  // negate bouncebacks and undeliverables
57  and not any(attachments,
58              .content_type in (
59                "message/global-delivery-status",
60                "message/delivery-status"
61              )
62  )
63  // negate highly trusted sender domains unless they fail DMARC authentication
64  and (
65    (
66      sender.email.domain.root_domain in $high_trust_sender_root_domains
67      and not headers.auth_summary.dmarc.pass
68    )
69    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
70  )  
71attack_types:
72  - "Credential Phishing"
73  - "Malware/Ransomware"
74tactics_and_techniques:
75  - "HTML smuggling"
76  - "Scripting"
77detection_methods:
78  - "Archive analysis"
79  - "Content analysis"
80  - "File analysis"
81  - "HTML analysis"
82  - "Javascript analysis"
83  - "Sender analysis"
84  - "URL analysis"
85id: "03fcac11-ffc9-5a9c-9e1e-c866e683b48e"