Attachment: HTML smuggling with eval and atob via calendar invite

calendar Jun 3, 2025  ยท
Share on: linkedin copy

Scans calendar invites (.ics files) to detect HTML smuggling techniques.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with eval and atob via calendar invite"
 2description: "Scans calendar invites (.ics files) to detect HTML smuggling techniques."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension =~ "ics"
10            or .content_type == "text/calendar"
11          )
12          and any(file.explode(.),
13                  // usage: onerror="eval(atob('
14                  any(.scan.strings.strings,
15                      regex.imatch(., ".*eval.{1,4}atob.*")
16                  )
17          )
18  )  
19
20attack_types:
21  - "Credential Phishing"
22  - "Malware/Ransomware"
23tactics_and_techniques:
24  - "Evasion"
25  - "HTML smuggling"
26  - "Scripting"
27detection_methods:
28  - "File analysis"
29  - "HTML analysis"
30  - "Javascript analysis"
31id: "597c2edd-ff97-5ef6-bcf4-8957011edd9c"
to-top