Attachment: HTML smuggling with decimal encoding

Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with decimal encoding"
 2description: |
 3    Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures. 
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
11            or (
12              .file_extension is null
13              and .file_type == "unknown"
14              and .content_type == "application/octet-stream"
15            )
16            or .file_extension in~ $file_extensions_common_archives
17            or .file_type == "html"
18            or .content_type == "text/html"
19          )
20          and any(file.explode(.),
21                  // suspicious identifiers
22                  any(.scan.strings.strings,
23                      regex.contains(., '(\d{2,3},){60,}')
24                  )
25          )
26  )
27  // negate highly trusted sender domains unless they fail DMARC authentication
28  and (
29    (
30      sender.email.domain.root_domain in $high_trust_sender_root_domains
31      and (
32        any(distinct(headers.hops, .authentication_results.dmarc is not null),
33            strings.ilike(.authentication_results.dmarc, "*fail")
34        )
35      )
36    )
37    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
38  )
39  and (
40    not profile.by_sender().solicited
41    or (
42      profile.by_sender().any_messages_malicious_or_spam
43      and not profile.by_sender().any_false_positives
44    )
45  )
46  and not profile.by_sender().any_false_positives  
47attack_types:
48  - "Credential Phishing"
49  - "Malware/Ransomware"
50tactics_and_techniques:
51  - "Evasion"
52  - "HTML smuggling"
53  - "Scripting"
54detection_methods:
55  - "Archive analysis"
56  - "Content analysis"
57  - "File analysis"
58  - "HTML analysis"
59id: "f99213c4-7031-50b1-ae81-b45f790d3fa4"
to-top