Attachment: HTML smuggling with base64 encoded JavaScript function

This rule identifies attachments that either have an HTML extension, lack any file extension, or possess an unrecognized file type and are employing Base64 encoding to conceal JavaScript functions within HTML script tags with little to no other content. Such obfuscation tactics have been frequently observed in credential phishing campaigns.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with base64 encoded JavaScript function"
 2description: |
 3  This rule identifies attachments that either have an HTML extension, lack any file extension, or possess an unrecognized file type
 4  and are employing Base64 encoding to conceal JavaScript functions within HTML script tags with little to no other content. 
 5  Such obfuscation tactics have been frequently observed in credential phishing campaigns.  
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            .file_extension in~ ("html", "htm", "shtml", "dhtml")
13            or (
14              .file_extension is null
15              and .file_type == "unknown"
16              and .content_type == "application/octet-stream"
17              and .size < 100000000
18            )
19            or .file_extension in~ $file_extensions_common_archives
20            or .file_type == "html"
21          )
22          and any(file.explode(.),
23                  any(.scan.strings.strings, strings.contains(., "data:text/javascript;base64"))
24                  // strings array is small
25                  and length(.scan.strings.strings) < 10
26          )
27  )  
28attack_types:
29  - "Credential Phishing"
30  - "Malware/Ransomware"
31tactics_and_techniques:
32  - "HTML smuggling"
33  - "Scripting"
34detection_methods:
35  - "Archive analysis"
36  - "Content analysis"
37  - "File analysis"
38  - "HTML analysis"
39  - "Javascript analysis"
40id: "4e8a12ec-3dda-5f4e-8646-f147039662d1"
to-top