Attachment: HTML smuggling with fromCharCode and other signals

 1name: "Attachment: HTML smuggling with fromCharCode and other signals"
 2description: |
 3    Recursively scans files and archives to detect HTML smuggling techniques.
 4references:
 5  - "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            .file_extension in~ ("html", "htm", "shtml", "dhtml")
13            or .file_extension in~ $file_extensions_common_archives
14            or .file_type == "html"
15          )
16          and any(file.explode(.),
17                  length(.scan.javascript.identifiers) < 100
18                  and "location" in .scan.javascript.identifiers
19                  and "charCodeAt" in .scan.javascript.identifiers
20                  and "fromCharCode" in .scan.javascript.identifiers
21                  and "indexOf" in .scan.javascript.identifiers
22                  and "try" in .scan.javascript.keywords
23                  and "catch" in .scan.javascript.keywords
24          )
25  )  
26attack_types:
27  - "Credential Phishing"
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Evasion"
31  - "HTML smuggling"
32  - "Scripting"
33detection_methods:
34  - "Archive analysis"
35  - "Content analysis"
36  - "File analysis"
37  - "Javascript analysis"
38  - "HTML analysis"
39id: "a68ce0ef-dc81-5889-8d0d-735e3521d735"