Attachment: HTML smuggling with auto-downloaded file

HTML attachments containing files that are automatically downloaded with Javascript.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with auto-downloaded file"
 2description: |
 3    HTML attachments containing files that are automatically downloaded with Javascript.
 4references:
 5  - "https://delivr.to/payloads?id=40f2f908-b7ea-4dc8-9b72-4280c9005fdd"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            .file_extension in~ ("html", "htm", "shtml", "dhtml")
13            or .file_extension in~ $file_extensions_common_archives
14            or .file_type == "html"
15          )
16          and any(file.explode(.),
17                  any(.scan.javascript.identifiers, strings.ilike(., 'click'))
18                  and any(.scan.javascript.identifiers, strings.ilike(., 'addEventListener'))
19                  and (
20                    length(filter(.scan.javascript.identifiers,
21                                  strings.like(., "document", "write", "atob")
22                           )
23                    ) == 3
24                    // usage: document['write'](atob)
25                    or any(.scan.strings.strings, strings.ilike(., "*document*write*atob*"))
26                    // usage: some_var = atob();
27                    or any(.scan.strings.strings, strings.ilike(., "*=*atob*;"))
28                    // usage: obfuscating "atob"
29                    or any(.scan.javascript.identifiers, strings.ilike(., '*ato\u0062*'))
30                    // usage: document.head.insertAdjacentHTML("beforeend", atob(...
31                    or any(.scan.strings.strings,
32                           strings.ilike(.,
33                                         "*document*write*atob*",
34                                         "*document*insertAdjacentHTML*atob*"
35                           )
36                    )
37                  )
38          )
39  )  
40attack_types:
41  - "Credential Phishing"
42  - "Malware/Ransomware"
43tactics_and_techniques:
44  - "HTML smuggling"
45  - "Scripting"
46detection_methods:
47  - "Archive analysis"
48  - "Content analysis"
49  - "File analysis"
50  - "HTML analysis"
51  - "Javascript analysis"
52  - "Sender analysis"
53  - "URL analysis"
54id: "abf724f5-d59e-546c-aec2-3f1bc0e2f14b"
to-top