Attachment: HTML smuggling with unescape
Recursively scans files and archives to detect HTML smuggling techniques.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with unescape"
2description: |
3 Recursively scans files and archives to detect HTML smuggling techniques.
4references:
5 - "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension in~ ("html", "htm", "shtml", "dhtml")
13 or .file_extension in~ $file_extensions_common_archives
14 or .file_type == "html"
15 )
16 and any(file.explode(.),
17 any(.scan.javascript.identifiers, . == "unescape")
18 or any(.scan.strings.strings, regex.contains(., "document.write.{0,10}unescape"))
19 )
20 )
21attack_types:
22 - "Credential Phishing"
23 - "Malware/Ransomware"
24tactics_and_techniques:
25 - "Evasion"
26 - "HTML smuggling"
27 - "Scripting"
28detection_methods:
29 - "Archive analysis"
30 - "File analysis"
31 - "HTML analysis"
32 - "Javascript analysis"
33id: "0b0fed36-735a-50f1-bf10-6673237a4623"