Attachment: HTML smuggling with auto-downloaded file
HTML attachments containing files that are automatically downloaded with Javascript.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with auto-downloaded file"
2description: |
3 HTML attachments containing files that are automatically downloaded with Javascript.
4references:
5 - "https://delivr.to/payloads?id=40f2f908-b7ea-4dc8-9b72-4280c9005fdd"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension in~ ("html", "htm", "shtml", "dhtml")
13 or .file_extension in~ $file_extensions_common_archives
14 or .file_type == "html"
15 )
16 and any(file.explode(.),
17 any(.scan.javascript.identifiers, strings.ilike(., 'click'))
18 and any(.scan.javascript.identifiers, strings.ilike(., 'addEventListener'))
19 and (
20 length(filter(.scan.javascript.identifiers,
21 strings.like(., "document", "write", "atob")
22 )
23 ) == 3
24 // usage: document['write'](atob)
25 or any(.scan.strings.strings, strings.ilike(., "*document*write*atob*"))
26 // usage: some_var = atob();
27 or any(.scan.strings.strings, strings.ilike(., "*=*atob*;"))
28 // usage: obfuscating "atob"
29 or any(.scan.javascript.identifiers, strings.ilike(., '*ato\u0062*'))
30 // usage: document.head.insertAdjacentHTML("beforeend", atob(...
31 or any(.scan.strings.strings,
32 strings.ilike(.,
33 "*document*write*atob*",
34 "*document*insertAdjacentHTML*atob*"
35 )
36 )
37 )
38 )
39 )
40attack_types:
41 - "Credential Phishing"
42 - "Malware/Ransomware"
43tactics_and_techniques:
44 - "HTML smuggling"
45 - "Scripting"
46detection_methods:
47 - "Archive analysis"
48 - "Content analysis"
49 - "File analysis"
50 - "HTML analysis"
51 - "Javascript analysis"
52 - "Sender analysis"
53 - "URL analysis"
54id: "abf724f5-d59e-546c-aec2-3f1bc0e2f14b"