Attachment: HTML smuggling 'body onload' linking to suspicious destination
Potential HTML Smuggling. This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling 'body onload' linking to suspicious destination"
2description: |
3 Potential HTML Smuggling.
4 This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD.
5type: "rule"
6severity: "high"
7source: |
8 type.inbound
9 and any(attachments,
10 (
11 .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
12 or (
13 .file_extension is null
14 and .file_type == "unknown"
15 and .content_type == "application/octet-stream"
16 )
17 or .file_extension in~ $file_extensions_common_archives
18 or .file_type == "html"
19 or .content_type == "text/html"
20 )
21 and any(file.explode(.),
22 not length(.scan.url.invalid_urls) > 0
23 and length(.scan.url.urls) == 1
24 and any(.scan.strings.strings,
25 strings.ilike(., "*body onload*")
26 )
27 and (
28 any(.scan.url.urls,
29 .domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
30
31 // To-do uncomment below when list is created
32 // or .domain.root_domain in $suspicious_root_domains
33 or .domain.tld in $suspicious_tlds
34 )
35 )
36 )
37 )
38attack_types:
39 - "Credential Phishing"
40 - "Malware/Ransomware"
41tactics_and_techniques:
42 - "Evasion"
43 - "HTML smuggling"
44 - "Scripting"
45detection_methods:
46 - "Archive analysis"
47 - "Content analysis"
48 - "File analysis"
49 - "HTML analysis"
50 - "URL analysis"
51id: "c1e2beed-e71e-58d2-b922-9601337645b2"