Attachment: HTML smuggling with embedded base64 streamed file download

HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with embedded base64 streamed file download"
 2description: |
 3  HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers
 4  to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.  
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  and any(attachments,
10          (
11            .file_extension in~ ("html", "htm", "shtml", "dhtml")
12            or .file_extension in~ $file_extensions_common_archives
13            or .file_type == "html"
14          )
15          and any(file.explode(.),
16                  any(.scan.strings.strings,
17                      regex.icontains(.,
18                                      '<a href="data:application/octet-stream;base64,[a-z0-9/+]+={0,2}" download=".+\.[a-z]{2,3}'
19                      )
20                  )
21          )
22  )  
23tags:
24  - "Malfam: QakBot"
25attack_types:
26  - "Malware/Ransomware"
27tactics_and_techniques:
28  - "HTML smuggling"
29  - "Scripting"
30  - "Social engineering"
31detection_methods:
32  - "Archive analysis"
33  - "Content analysis"
34  - "File analysis"
35  - "HTML analysis"
36id: "e04de4e2-154f-5cf9-b108-dbf753ece511"

Related rules

to-top