Attachment: HTML smuggling with fromCharCode and other signals
Recursively scans files and archives to detect HTML smuggling techniques.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with fromCharCode and other signals"
2description: |
3 Recursively scans files and archives to detect HTML smuggling techniques.
4references:
5 - "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension in~ ("html", "htm", "shtml", "dhtml")
13 or .file_extension in~ $file_extensions_common_archives
14 or .file_type == "html"
15 )
16 and any(file.explode(.),
17 length(.scan.javascript.identifiers) < 100
18 and "location" in .scan.javascript.identifiers
19 and "charCodeAt" in .scan.javascript.identifiers
20 and "fromCharCode" in .scan.javascript.identifiers
21 and "indexOf" in .scan.javascript.identifiers
22 and "try" in .scan.javascript.keywords
23 and "catch" in .scan.javascript.keywords
24 )
25 )
26attack_types:
27 - "Credential Phishing"
28 - "Malware/Ransomware"
29tactics_and_techniques:
30 - "Evasion"
31 - "HTML smuggling"
32 - "Scripting"
33detection_methods:
34 - "Archive analysis"
35 - "Content analysis"
36 - "File analysis"
37 - "Javascript analysis"
38 - "HTML analysis"
39id: "a68ce0ef-dc81-5889-8d0d-735e3521d735"