Attachment: HTML smuggling Microsoft sign in

calendar Apr 27, 2026  ยท
Share on: linkedin copy

Scans HTML files to detect HTML smuggling techniques impersonating a Microsoft login page.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling Microsoft sign in"
 2description: |
 3    Scans HTML files to detect HTML smuggling techniques impersonating a Microsoft login page.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ ("html", "htm", "shtml", "dhtml")
11            or .file_extension in~ $file_extensions_common_archives
12            or .file_type == "html"
13          )
14          and any(file.explode(.),
15                  .scan.entropy.entropy >= 5.7
16                  and .flavors.mime == "text/html"
17                  and length(.scan.javascript.identifiers) == 0
18                  and any(.scan.url.urls,
19                          .domain.domain not in $tranco_1m
20                          or .domain.root_domain in $free_subdomain_hosts
21                  )
22  
23                  // seen in the wild: "sign in to your account", "sign in to your microsoft account"
24                  and strings.ilike(.scan.html.title, "*sign in*", "*microsoft*")
25          )
26  )
27  // allow Microsoft domains just to be safe
28  and sender.email.domain.root_domain not in~ (
29    'microsoft.com',
30    'microsoftsupport.com',
31    'office.com'
32  )  
33attack_types:
34  - "Credential Phishing"
35tactics_and_techniques:
36  - "Free subdomain host"
37  - "HTML smuggling"
38  - "Impersonation: Brand"
39  - "Social engineering"
40detection_methods:
41  - "Archive analysis"
42  - "Content analysis"
43  - "File analysis"
44  - "Header analysis"
45  - "Javascript analysis"
46  - "Sender analysis"
47  - "URL analysis"
48id: "878d6385-95c2-5540-a887-a6fa9456409c"
to-top