Attachment: HTML smuggling with excessive line break obfuscation
Credential Phishing attacks have been observed using excessive line breaks to obfuscate javascript functions within html files.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with excessive line break obfuscation"
2description: |
3 Credential Phishing attacks have been observed using excessive line breaks to obfuscate javascript functions within html files.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 (
10 .file_extension in~ ("html", "htm", "shtml", "dhtml")
11 or .file_extension in~ $file_extensions_common_archives
12 or .file_type == "html"
13 )
14 and any(file.explode(.),
15 any(.scan.strings.strings,
16 // return new line padded obfuscation
17 regex.contains(., '(\\r\\n\S{2}){50,}')
18 and strings.contains(., 'decodeURIComponent')
19 )
20 )
21 )
22attack_types:
23 - "Credential Phishing"
24 - "Malware/Ransomware"
25tactics_and_techniques:
26 - "Encryption"
27 - "Evasion"
28 - "HTML smuggling"
29 - "Scripting"
30detection_methods:
31 - "Archive analysis"
32 - "Content analysis"
33 - "File analysis"
34 - "HTML analysis"
35 - "Javascript analysis"
36id: "7e901440-5751-5d94-8b2d-47eb3c0e2b9d"