Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
Potential HTML Smuggling. This rule inspects HTML attachments that contain "body unload", high entropy, and suspicious text.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling 'body onload' with high entropy and suspicious text"
2description: |
3 Potential HTML Smuggling. This rule inspects HTML attachments that contain "body unload", high entropy, and suspicious text.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 (
10 .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
11 or (
12 .file_extension is null
13 and .file_type == "unknown"
14 and .content_type == "application/octet-stream"
15 )
16 or .file_extension in~ $file_extensions_common_archives
17 or .file_type == "html"
18 or .content_type == "text/html"
19 )
20 and any(file.explode(.),
21 .scan.entropy.entropy >= 5
22 and any(.scan.strings.strings, strings.ilike(., "*body onload*"))
23 and any(.scan.strings.strings, regex.icontains(., 'data:image/.*;base64'))
24 and any(.scan.strings.strings, strings.ilike(., "*document pass*"))
25 )
26 )
27attack_types:
28 - "Credential Phishing"
29 - "Malware/Ransomware"
30tactics_and_techniques:
31 - "Evasion"
32 - "HTML smuggling"
33 - "Scripting"
34detection_methods:
35 - "Archive analysis"
36 - "Content analysis"
37 - "File analysis"
38 - "HTML analysis"
39id: "329ac12d-f74e-577c-936c-1db80ccf860e"