Attachment: HTML smuggling Microsoft sign in

 1name: "Attachment: HTML smuggling Microsoft sign in"
 2description: |
 3    Scans HTML files to detect HTML smuggling techniques impersonating a Microsoft login page.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ ("html", "htm", "shtml", "dhtml")
11            or .file_extension in~ $file_extensions_common_archives
12            or .file_type == "html"
13          )
14          and any(file.explode(.),
15                  .scan.entropy.entropy >= 5.7
16                  and .flavors.mime == "text/html"
17                  and length(.scan.javascript.identifiers) == 0
18                  and any(.scan.url.urls,
19                          .domain.domain not in $tranco_1m
20                          or .domain.root_domain in $free_subdomain_hosts
21                  )
22  
23                  // seen in the wild: "sign in to your account", "sign in to your microsoft account"
24                  and strings.ilike(.scan.html.title, "*sign in*", "*microsoft*")
25          )
26  )
27  and (
28    not profile.by_sender().solicited
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_messages_benign
32    )
33  )
34  // allow Microsoft domains just to be safe
35  and sender.email.domain.root_domain not in~ (
36    'microsoft.com',
37    'microsoftsupport.com',
38    'office.com'
39  )  
40attack_types:
41  - "Credential Phishing"
42tactics_and_techniques:
43  - "Free subdomain host"
44  - "HTML smuggling"
45  - "Impersonation: Brand"
46  - "Social engineering"
47detection_methods:
48  - "Archive analysis"
49  - "Content analysis"
50  - "File analysis"
51  - "Header analysis"
52  - "Javascript analysis"
53  - "Sender analysis"
54  - "URL analysis"
55id: "878d6385-95c2-5540-a887-a6fa9456409c"