Attachment: HTML smuggling with embedded base64-encoded ISO
HTML attachment contains a base-64 encoded ISO. This is a known TTP for multiple threat actors.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with embedded base64-encoded ISO"
2description: |
3 HTML attachment contains a base-64 encoded ISO. This is a known TTP for multiple threat actors.
4references:
5 - "https://delivr.to/payloads?id=cf6c9867-4358-4b3b-b7eb-3432ac39e71d"
6 - "https://playground.sublimesecurity.com?id=78587abf-1027-4c6c-9edf-c1bd928de97a"
7type: "rule"
8severity: "high"
9source: |
10 type.inbound
11 and any(attachments,
12 (
13 .file_extension in~ ("html", "htm")
14 or .file_extension in~ $file_extensions_common_archives
15 or .file_type == "html"
16 )
17 and any(file.explode(.),
18 any(.scan.strings.strings,
19 strings.ilike(.,
20 // Base64 encoded ISOs
21 "*SVNPIDk2NjAvSEZT*",
22 "*MTk5MyBFLllPVU5HREFMRQ*",
23 // Reversed base64 encoded ISOs
24 "*TZESvAjN2kDIPNVS*",
25 "*QRMFERH5UVPllLFByM5kTM*"
26 )
27 )
28 )
29 )
30attack_types:
31 - "Credential Phishing"
32 - "Malware/Ransomware"
33tactics_and_techniques:
34 - "Evasion"
35 - "HTML smuggling"
36 - "ISO"
37detection_methods:
38 - "Archive analysis"
39 - "Content analysis"
40 - "File analysis"
41 - "HTML analysis"
42 - "Sender analysis"
43id: "294ecd2d-bc98-5a67-850a-60a1a29aea76"