Attachment: HTML smuggling 'body onload' linking to suspicious destination

Potential HTML Smuggling. This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling 'body onload' linking to suspicious destination"
 2description: |
 3  Potential HTML Smuggling. 
 4  This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD.   
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  and any(attachments,
10          (
11            .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
12            or (
13              .file_extension is null
14              and .file_type == "unknown"
15              and .content_type == "application/octet-stream"
16            )
17            or .file_extension in~ $file_extensions_common_archives
18            or .file_type == "html"
19            or .content_type == "text/html"
20          )
21          and any(file.explode(.),
22                  not length(.scan.url.invalid_urls) > 0
23                  and length(.scan.url.urls) == 1
24                  and any(.scan.strings.strings, strings.ilike(., "*body onload*"))
25                  and (
26                    any(.scan.url.urls,
27                        .domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
28                        
29                        // To-do uncomment below when list is created
30                        //or .domain.root_domain in $suspicious_root_domains
31                        or .domain.tld in $suspicious_tlds
32                    )
33                  )
34          )
35  )  
36attack_types:
37  - "Credential Phishing"
38  - "Malware/Ransomware"
39tactics_and_techniques:
40  - "Evasion"
41  - "HTML smuggling"
42  - "Scripting"
43detection_methods:
44  - "Archive analysis"
45  - "Content analysis"
46  - "File analysis"
47  - "HTML analysis"
48  - "URL analysis"
49id: "c1e2beed-e71e-58d2-b922-9601337645b2"
to-top