Attachment: HTML smuggling with embedded base64 streamed file download
HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with embedded base64 streamed file download"
2description: |
3 HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers
4 to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.
5type: "rule"
6severity: "high"
7source: |
8 type.inbound
9 and any(attachments,
10 (
11 .file_extension in~ ("html", "htm", "shtml", "dhtml")
12 or .file_extension in~ $file_extensions_common_archives
13 or .file_type == "html"
14 )
15 and any(file.explode(.),
16 any(.scan.strings.strings,
17 regex.icontains(.,
18 '<a href="data:application/octet-stream;base64,[a-z0-9/+]+={0,2}" download=".+\.[a-z]{2,3}'
19 )
20 )
21 )
22 )
23tags:
24 - "Malfam: QakBot"
25attack_types:
26 - "Malware/Ransomware"
27tactics_and_techniques:
28 - "HTML smuggling"
29 - "Scripting"
30 - "Social engineering"
31detection_methods:
32 - "Archive analysis"
33 - "Content analysis"
34 - "File analysis"
35 - "HTML analysis"
36id: "e04de4e2-154f-5cf9-b108-dbf753ece511"
Related rules
- Attachment: Archive with pdf, txt and wsf files
- Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment
- Attachment: PDF file with low reputation link to ZIP file (unsolicited)
- Attachment: PDF with link to zip containing a wsf file
- Attachment: PDF with suspicious language and redirect to suspicious file type