Attachment: HTML smuggling with atob and high entropy via calendar invite

 1name: "Attachment: HTML smuggling with atob and high entropy via calendar invite"
 2description: "Scans calendar invites (.ics files) to detect HTML smuggling techniques."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension =~ "ics"
10            or .content_type == "text/calendar"
11          )
12          and any(file.explode(.),
13                  .scan.entropy.entropy >= 5
14                  and (
15                    length(filter(.scan.javascript.identifiers,
16                                  strings.like(., "document", "write", "atob")
17                           )
18                    ) == 3
19                    // usage: document['write'](atob)
20                    or any(.scan.strings.strings, regex.icontains(., "document.{0,10}write.{0,10}atob"))
21                    // usage: some_var = atob();
22                    or any(.scan.strings.strings, regex.icontains(., "=.?atob.*;"))
23                    // usage: atob(atob
24                    or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
25                    // usage: {src: atob
26                    or any(.scan.strings.strings, strings.ilike(., "*{src: atob*"))
27                    // usage: eval(atob)
28                    or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
29                      // usage: atob(_0x)
30                    or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
31                    // usage : 'at'+'ob'
32                    or any(.scan.strings.strings, strings.ilike(., "*'at'+'ob'*"))
33                    // usage: obfuscating "atob"
34                    or any(.scan.javascript.identifiers, strings.ilike(., '*ato\u0062*'))
35                    // usage: document.head.insertAdjacentHTML("beforeend", atob(...
36                    or any(.scan.strings.strings,
37                           strings.ilike(.,
38                                         "*document*insertAdjacentHTML*atob*"
39                           )
40                    )
41                  )
42          )
43  )
44  // negate bouncebacks and undeliverables
45  and not any(attachments,
46              .content_type in (
47                "message/global-delivery-status",
48                "message/delivery-status"
49              )
50  )
51  // negate highly trusted sender domains unless they fail DMARC authentication
52  and (
53    (
54      sender.email.domain.root_domain in $high_trust_sender_root_domains
55      and not headers.auth_summary.dmarc.pass
56    )
57    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
58  )
59    
60
61attack_types:
62  - "Credential Phishing"
63  - "Malware/Ransomware"
64tactics_and_techniques:
65  - "Evasion"
66  - "HTML smuggling"
67  - "Scripting"
68detection_methods:
69  - "File analysis"
70  - "HTML analysis"
71  - "Javascript analysis"
72  - "Sender analysis"
73id: "94d84614-6f4a-5554-b30c-4ab67073d564"