Attachment: HTML smuggling with atob and high entropy via calendar invite

 1name: "Attachment: HTML smuggling with atob and high entropy via calendar invite"
 2description: "Scans calendar invites (.ics files) to detect HTML smuggling techniques."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (.file_extension =~ "ics" or .content_type == "text/calendar")
 9          and any(file.explode(.),
10                  .scan.entropy.entropy >= 5
11                  and (
12                    length(filter(.scan.javascript.identifiers,
13                                  strings.like(., "document", "write", "atob")
14                           )
15                    ) == 3
16                    // usage: document['write'](atob)
17                    or any(.scan.strings.strings,
18                           regex.icontains(., "document.{0,10}write.{0,10}atob")
19                    )
20                    // usage: some_var = atob();
21                    or any(.scan.strings.strings,
22                           regex.icontains(., "=.?atob.*;")
23                    )
24                    // usage: atob(atob
25                    or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
26                    // usage: {src: atob
27                    or any(.scan.strings.strings,
28                           strings.ilike(., "*{src: atob*")
29                    )
30                    // usage: eval(atob)
31                    or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
32                    // usage: atob(_0x)
33                    or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
34                    // usage : 'at'+'ob'
35                    or any(.scan.strings.strings, strings.ilike(., "*'at'+'ob'*"))
36                    // usage: obfuscating "atob"
37                    or any(.scan.javascript.identifiers,
38                           strings.ilike(., '*ato\u0062*')
39                    )
40                    // usage: document.head.insertAdjacentHTML("beforeend", atob(...
41                    or any(.scan.strings.strings,
42                           strings.ilike(., "*document*insertAdjacentHTML*atob*")
43                    )
44                  )
45          )
46  )
47  // negate bouncebacks and undeliverables
48  and not any(attachments,
49              .content_type in (
50                "message/global-delivery-status",
51                "message/delivery-status"
52              )
53  )
54  // negate highly trusted sender domains unless they fail DMARC authentication
55  and (
56    (
57      sender.email.domain.root_domain in $high_trust_sender_root_domains
58      and not headers.auth_summary.dmarc.pass
59    )
60    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
61  )  
62attack_types:
63  - "Credential Phishing"
64  - "Malware/Ransomware"
65tactics_and_techniques:
66  - "Evasion"
67  - "HTML smuggling"
68  - "Scripting"
69detection_methods:
70  - "File analysis"
71  - "HTML analysis"
72  - "Javascript analysis"
73  - "Sender analysis"
74id: "94d84614-6f4a-5554-b30c-4ab67073d564"