Attachment: HTML smuggling 'body onload' with high entropy and suspicious text

calendar Sep 25, 2023  ยท
Share on: linkedin copy

Potential HTML Smuggling. This rule inspects HTML attachments that contain "body unload", high entropy, and suspicious text.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling 'body onload' with high entropy and suspicious text"
 2description: |
 3    Potential HTML Smuggling. This rule inspects HTML attachments that contain "body unload", high entropy, and suspicious text.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
11            or (
12              .file_extension is null
13              and .file_type == "unknown"
14              and .content_type == "application/octet-stream"
15            )
16            or .file_extension in~ $file_extensions_common_archives
17            or .file_type == "html"
18            or .content_type == "text/html"
19          )
20          and any(file.explode(.),
21              .scan.entropy.entropy >= 5
22              and any(.scan.strings.strings, strings.ilike(., "*body onload*"))
23              and any(.scan.strings.strings, regex.icontains(., 'data:image/.*;base64'))
24              and any(.scan.strings.strings, strings.ilike(., "*document pass*"))
25          )
26  )  
27attack_types:
28  - "Credential Phishing"
29  - "Malware/Ransomware"
30tactics_and_techniques:
31  - "Evasion"
32  - "HTML smuggling"
33  - "Scripting"
34detection_methods:
35  - "Archive analysis"
36  - "Content analysis"
37  - "File analysis"
38  - "HTML analysis"
39id: "329ac12d-f74e-577c-936c-1db80ccf860e"
to-top