Attachment: HTML smuggling with RC4 decryption
Potential HTML smuggling. The RC4 algorithm is used within inline JavaScript to decrypt the payload on-the-fly.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with RC4 decryption"
2description: |
3 Potential HTML smuggling.
4 The RC4 algorithm is used within inline JavaScript to decrypt the payload on-the-fly.
5references:
6 - "https://delivr.to/payloads?id=0dcec496-0130-465c-bf3d-c9714e17d4d4"
7 - "https://playground.sublimesecurity.com?id=6b219754-2b0b-47c3-ba53-ec080d946499"
8type: "rule"
9severity: "high"
10source: |
11 type.inbound
12 and any(attachments,
13 (
14 .file_extension in~ ("html", "htm", "shtml", "dhtml")
15 or .file_extension in~ $file_extensions_common_archives
16 or .file_type == "html"
17 )
18 and any(file.explode(.),
19 any(.scan.strings.strings, strings.ilike(., "*?[(?[?]+?[?])%256]*"))
20 )
21 )
22attack_types:
23 - "Credential Phishing"
24 - "Malware/Ransomware"
25tactics_and_techniques:
26 - "Encryption"
27 - "Evasion"
28 - "HTML smuggling"
29 - "Scripting"
30detection_methods:
31 - "Archive analysis"
32 - "Content analysis"
33 - "File analysis"
34 - "HTML analysis"
35 - "Javascript analysis"
36id: "3a46d765-4b27-5026-9b8e-043e3817854b"