Attachment: HTML smuggling with setTimeout
Recursively scans files and archives to detect HTML smuggling techniques.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with setTimeout"
2description: |
3 Recursively scans files and archives to detect HTML smuggling techniques.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 .size <= 400
10 and (
11 .file_extension in~ ("html", "htm", "shtml", "dhtml")
12 or .file_extension in~ $file_extensions_common_archives
13 or .file_type == "html"
14 )
15 and any(file.explode(.),
16 "setTimeout" in .scan.javascript.identifiers
17 and any(.scan.strings.strings, strings.ilike(., "*location.href*"))
18 )
19 )
20attack_types:
21 - "Credential Phishing"
22 - "Malware/Ransomware"
23tactics_and_techniques:
24 - "Evasion"
25 - "HTML smuggling"
26 - "Scripting"
27detection_methods:
28 - "Archive analysis"
29 - "Content analysis"
30 - "File analysis"
31 - "HTML analysis"
32 - "Javascript analysis"
33id: "4e0b2c32-d176-5351-9b74-1636179a8cda"