Attachment: HTML smuggling with base64 encoded ZIP file
Detects HTML attachments containing base64-encoded ZIP or Office files alongside JavaScript decoding functions such as atob, fromCharCode, or base64. This technique is commonly used to evade security controls by hiding malicious files within HTML content that are decoded and executed client-side.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with base64 encoded ZIP file"
2description: "Detects HTML attachments containing base64-encoded ZIP or Office files alongside JavaScript decoding functions such as atob, fromCharCode, or base64. This technique is commonly used to evade security controls by hiding malicious files within HTML content that are decoded and executed client-side."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 .file_extension in~ ("html", "htm", "shtml", "dhtml")
10 or .file_type == "html"
11 )
12 and (
13 // javascript functions to decode the base64
14 strings.icontains(file.parse_text(.).text, 'atob')
15 or strings.icontains(file.parse_text(.).text, 'fromCharCode')
16 or strings.icontains(file.parse_text(.).text, 'base64')
17 )
18 // Magic bytes for a ZIP/Office File that have been base64 encoded
19 and regex.contains(file.parse_text(.).text,
20 '[\x2C\x3B\x3A\x22\x27\x28\x7B\x5B\s]UEsDB'
21 )
22 // negation of Micro Focus Voltage Secure Messaging
23 and not strings.contains(file.parse_text(.).text,
24 "<input type=\"hidden\" name=\"ZFRdata\" value=\"\n-----BEGIN VOLTAGE SECURE BLOCK V3-----\nUEsDBBQAAAAAAAAAAA"
25 )
26 )
27
28tags:
29 - "Attack surface reduction"
30attack_types:
31 - "Credential Phishing"
32 - "Malware/Ransomware"
33tactics_and_techniques:
34 - "Evasion"
35 - "HTML smuggling"
36 - "Scripting"
37detection_methods:
38 - "Archive analysis"
39 - "Content analysis"
40 - "File analysis"
41 - "HTML analysis"
42 - "Javascript analysis"
43id: "47e388de-08f8-5261-8571-99dbf73a352d"