Attachment: HTML smuggling with ROT13

Dec 2, 2025 ·

Potential HTML obfuscation attack based on suspicious JavaScript identifiers. Some attackers may use obfuscation techniques such as ROT13 to bypass email security filters. This rule may be expanded to inspect HTML attachments for other suspicious identifiers.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with ROT13"
 2description: |
 3  Potential HTML obfuscation attack based on suspicious JavaScript identifiers.
 4  Some attackers may use obfuscation techniques such as ROT13 to bypass email security filters.
 5  This rule may be expanded to inspect HTML attachments for other suspicious identifiers.  
 6type: "rule"
 7authors:
 8  - twitter: "Kyle_Parrish_"
 9    name: "Kyle Parrish"
10severity: "high"
11source: |
12  type.inbound
13  and any(attachments,
14          (
15            .file_extension in~ ("html", "htm", "shtml", "dhtml")
16            or .file_extension in~ $file_extensions_common_archives
17            or .file_type in~ ("html", "svg")
18          )
19          and any(file.explode(.),
20                  1 of (
21                      any(.scan.javascript.identifiers,
22                          . in~ ("rot13", "decodeROT13")
23                      ),
24                      any(.scan.strings.strings,
25                        // ROT13 encoded value for https & http
26                        strings.icontains(., "\"uggcf://")
27                        or strings.icontains(., "\"uggc://")
28                      )
29                  )
30                  and length(.scan.javascript.identifiers) < 100
31          )
32  )  
33attack_types:
34  - "Credential Phishing"
35  - "Malware/Ransomware"
36tactics_and_techniques:
37  - "Encryption"
38  - "Evasion"
39  - "HTML smuggling"
40  - "Scripting"
41detection_methods:
42  - "Archive analysis"
43  - "Content analysis"
44  - "File analysis"
45  - "Javascript analysis"
46  - "HTML analysis"
47id: "6eacc4cf-9357-5441-9380-b561fa630d65"