Attachment: HTML smuggling with base64 encoded JavaScript function
This rule identifies attachments that either have an HTML extension, lack any file extension, or possess an unrecognized file type and are employing Base64 encoding to conceal JavaScript functions within HTML script tags with little to no other content. Such obfuscation tactics have been frequently observed in credential phishing campaigns.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with base64 encoded JavaScript function"
2description: |
3 This rule identifies attachments that either have an HTML extension, lack any file extension, or possess an unrecognized file type
4 and are employing Base64 encoding to conceal JavaScript functions within HTML script tags with little to no other content.
5 Such obfuscation tactics have been frequently observed in credential phishing campaigns.
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension in~ ("html", "htm", "shtml", "dhtml")
13 or (
14 .file_extension is null
15 and .file_type == "unknown"
16 and .content_type == "application/octet-stream"
17 and .size < 100000000
18 )
19 or .file_extension in~ $file_extensions_common_archives
20 or .file_type == "html"
21 )
22 and any(file.explode(.),
23 any(.scan.strings.strings, strings.contains(., "data:text/javascript;base64"))
24 // strings array is small
25 and length(.scan.strings.strings) < 10
26 )
27 )
28attack_types:
29 - "Credential Phishing"
30 - "Malware/Ransomware"
31tactics_and_techniques:
32 - "HTML smuggling"
33 - "Scripting"
34detection_methods:
35 - "Archive analysis"
36 - "Content analysis"
37 - "File analysis"
38 - "HTML analysis"
39 - "Javascript analysis"
40id: "4e8a12ec-3dda-5f4e-8646-f147039662d1"