Attachment: HTML smuggling with ROT13

calendar Aug 21, 2023  ·
Share on: linkedin copy

Potential HTML obfuscation attack based on suspicious JavaScript identifiers. Some attackers may use obfuscation techniques such as ROT13 to bypass email security filters. This rule may be expanded to inspect HTML attachments for other suspicious identifiers.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with ROT13"
 2description: |
 3  Potential HTML obfuscation attack based on suspicious JavaScript identifiers.
 4  Some attackers may use obfuscation techniques such as ROT13 to bypass email security filters.
 5  This rule may be expanded to inspect HTML attachments for other suspicious identifiers.  
 6type: "rule"
 7authors:
 8  - twitter: "Kyle_Parrish_"
 9    name: "Kyle Parrish"
10severity: "high"
11source: |
12  type.inbound
13  and any(attachments,
14          (
15            .file_extension in~ ("html", "htm", "shtml", "dhtml")
16            or .file_extension in~ $file_extensions_common_archives
17            or .file_type == "html"
18          )
19          and any(file.explode(.),
20                  any(.scan.javascript.identifiers, . in~ ("rot13"))
21                  and length(.scan.javascript.identifiers) < 100
22          )
23  )  
24attack_types:
25  - "Credential Phishing"
26  - "Malware/Ransomware"
27tactics_and_techniques:
28  - "Encryption"
29  - "Evasion"
30  - "HTML smuggling"
31  - "Scripting"
32detection_methods:
33  - "Archive analysis"
34  - "Content analysis"
35  - "File analysis"
36  - "Javascript analysis"
37  - "HTML analysis"
38id: "6eacc4cf-9357-5441-9380-b561fa630d65"
to-top