Attachment: ICS with embedded Javascript in SVG file
Detects incoming messages containing ICS attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.
Sublime rule (View on GitHub)
1name: "Attachment: ICS with embedded Javascript in SVG file"
2description: "Detects incoming messages containing ICS attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 .file_extension in~ ('ics')
10 or .content_type in ("application/ics", "text/calendar")
11 )
12 and any(file.explode(.),
13 (
14 .file_extension in~ ("svg", "svgz")
15 or .flavors.mime == "image/svg+xml"
16 )
17 and any(.scan.strings.strings,
18 strings.ilike(.,
19 "*onload*",
20 "*window.location.href*",
21 "*onerror*",
22 "*CDATA*",
23 "*<script*",
24 "*</script*",
25 "*atob*",
26 "*location.assign*",
27 "*decodeURIComponent*"
28 )
29 )
30 )
31 )
32attack_types:
33 - "Credential Phishing"
34 - "Malware/Ransomware"
35tactics_and_techniques:
36 - "Scripting"
37 - "Evasion"
38detection_methods:
39 - "File analysis"
40 - "Javascript analysis"
41 - "Sender analysis"
42id: "d5201a19-4c0d-537b-bd0b-278ef48fd983"