Attachment: HTML smuggling 'body onload' with high entropy and suspicious text

Potential HTML Smuggling. This rule inspects HTML attachments that contain "body unload", high entropy, and suspicious text.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling 'body onload' with high entropy and suspicious text"
 2description: |
 3    Potential HTML Smuggling. This rule inspects HTML attachments that contain "body unload", high entropy, and suspicious text.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
11            or (
12              .file_extension is null
13              and .file_type == "unknown"
14              and .content_type == "application/octet-stream"
15            )
16            or .file_extension in~ $file_extensions_common_archives
17            or .file_type == "html"
18            or .content_type == "text/html"
19          )
20          and any(file.explode(.),
21              .scan.entropy.entropy >= 5
22              and any(.scan.strings.strings, strings.ilike(., "*body onload*"))
23              and any(.scan.strings.strings, regex.icontains(., 'data:image/.*;base64'))
24              and any(.scan.strings.strings, strings.ilike(., "*document pass*"))
25          )
26  )  
27attack_types:
28  - "Credential Phishing"
29  - "Malware/Ransomware"
30tactics_and_techniques:
31  - "Evasion"
32  - "HTML smuggling"
33  - "Scripting"
34detection_methods:
35  - "Archive analysis"
36  - "Content analysis"
37  - "File analysis"
38  - "HTML analysis"
39id: "329ac12d-f74e-577c-936c-1db80ccf860e"
to-top