Attachment: HTML smuggling 'body onload' linking to suspicious destination
Potential HTML Smuggling. This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling 'body onload' linking to suspicious destination"
2description: |
3 Potential HTML Smuggling.
4 This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD.
5type: "rule"
6severity: "high"
7source: |
8 type.inbound
9 and any(attachments,
10 (
11 .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
12 or (
13 .file_extension is null
14 and .file_type == "unknown"
15 and .content_type == "application/octet-stream"
16 )
17 or .file_extension in~ $file_extensions_common_archives
18 or .file_type == "html"
19 or .content_type == "text/html"
20 )
21 and any(file.explode(.),
22 not length(.scan.url.invalid_urls) > 0
23 and length(.scan.url.urls) == 1
24 and any(.scan.strings.strings, strings.ilike(., "*body onload*"))
25 and (
26 any(.scan.url.urls,
27 .domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
28
29 // To-do uncomment below when list is created
30 //or .domain.root_domain in $suspicious_root_domains
31 or .domain.tld in $suspicious_tlds
32 )
33 )
34 )
35 )
36attack_types:
37 - "Credential Phishing"
38 - "Malware/Ransomware"
39tactics_and_techniques:
40 - "Evasion"
41 - "HTML smuggling"
42 - "Scripting"
43detection_methods:
44 - "Archive analysis"
45 - "Content analysis"
46 - "File analysis"
47 - "HTML analysis"
48 - "URL analysis"
49id: "c1e2beed-e71e-58d2-b922-9601337645b2"