Attachment: HTML Smuggling Microsoft Sign In

 1name: "Attachment: HTML Smuggling Microsoft Sign In"
 2description: |
 3    Scans HTML files to detect HTML smuggling techniques impersonating a Microsoft login page.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ ("html", "htm", "shtml", "dhtml")
11            or .file_extension in~ $file_extensions_common_archives
12            or .file_type == "html"
13          )
14          and any(file.explode(.),
15                  .scan.entropy.entropy >= 5.7
16                  and .flavors.mime == "text/html"
17                  and length(.scan.javascript.identifiers) == 0
18                  and any(.scan.url.urls,
19                          .domain.domain not in $tranco_1m
20                          or .domain.root_domain in $free_subdomain_hosts
21                  )
22
23                  // seen in the wild: "sign in to your account", "sign in to your microsoft account"
24                  and strings.ilike(.scan.html.title, "*sign in*", "*microsoft*")
25          )
26  )
27  and (
28    not profile.by_sender().solicited
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_false_positives
32    )
33  )
34  // allow Microsoft domains just to be safe
35  and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com')  
36attack_types:
37  - "Credential Phishing"
38tactics_and_techniques:
39  - "Free subdomain host"
40  - "HTML smuggling"
41  - "Impersonation: Brand"
42  - "Social engineering"
43detection_methods:
44  - "Archive analysis"
45  - "Content analysis"
46  - "File analysis"
47  - "Header analysis"
48  - "Javascript analysis"
49  - "Sender analysis"
50  - "URL analysis"
51id: "878d6385-95c2-5540-a887-a6fa9456409c"