Attachment: HTML smuggling with atob and high entropy

 1name: "Attachment: HTML smuggling with atob and high entropy"
 2description: |
 3    Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.
 4references:
 5  - "https://delivr.to/payloads?id=7dbf0d83-1557-4345-bf67-d18c4256b0c1"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            .file_extension in~ ("html", "htm", "shtml", "dhtml", "eml")
13            or .file_extension in~ $file_extensions_common_archives
14            or .file_type == "html"
15            or .content_type == "message/rfc822" or .file_extension in ('eml')
16            
17          )
18          and any(file.explode(.),
19                  .scan.entropy.entropy >= 5
20                  and (
21                    length(filter(.scan.javascript.identifiers,
22                                  strings.like(., "document", "write", "atob")
23                           )
24                    ) == 3
25                    // usage: document['write'](atob)
26                    or any(.scan.strings.strings, regex.icontains(., "document.{0,10}write.{0,10}atob"))
27                    // usage: some_var = atob();
28                    or any(.scan.strings.strings, regex.icontains(., "=.?atob.*;"))
29                    // usage: atob(atob
30                    or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
31                    // usage: {src: atob
32                    or any(.scan.strings.strings, strings.ilike(., "*{src: atob*"))
33                    // usage: eval(atob)
34                    or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
35                      // usage: atob(_0x)
36                    or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
37                    // usage : 'at'+'ob'
38                    or any(.scan.strings.strings, strings.ilike(., "*'at'+'ob'*"))
39                    // usage: obfuscating "atob"
40                    or any(.scan.javascript.identifiers, strings.ilike(., '*ato\u0062*'))
41                    // usage: document.head.insertAdjacentHTML("beforeend", atob(...
42                    or any(.scan.strings.strings,
43                           strings.ilike(.,
44                                         "*document*insertAdjacentHTML*atob*"
45                           )
46                    )
47                  )
48          )
49  )
50  // negate bouncebacks and undeliverables
51  and not any(attachments,
52              .content_type in (
53                "message/global-delivery-status",
54                "message/delivery-status"
55              )
56  )
57  // negate highly trusted sender domains unless they fail DMARC authentication
58  and (
59    (
60      sender.email.domain.root_domain in $high_trust_sender_root_domains
61      and not headers.auth_summary.dmarc.pass
62    )
63    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
64  )  
65
66attack_types:
67  - "Credential Phishing"
68  - "Malware/Ransomware"
69tactics_and_techniques:
70  - "HTML smuggling"
71  - "Scripting"
72detection_methods:
73  - "Archive analysis"
74  - "Content analysis"
75  - "File analysis"
76  - "HTML analysis"
77  - "Javascript analysis"
78  - "Sender analysis"
79  - "URL analysis"
80id: "03fcac11-ffc9-5a9c-9e1e-c866e683b48e"