HTML smuggling containing recipient email address
HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.
Sublime rule (View on GitHub)
1name: "HTML smuggling containing recipient email address"
2description: "HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 any(attachments,
9 (
10 .file_extension in~ ("html", "htm", "shtml", "dhtml")
11 or .content_type == "message/rfc822"
12 or .file_type == "html"
13 or .content_type == "text/html"
14 )
15 and any(file.explode(.),
16 .size < 10000
17 and length(.scan.strings.strings) < 20
18 and any(recipients.to,
19 any(..scan.strings.strings,
20 strings.icontains(., ..email.email)
21 )
22 and .email.domain.valid
23 )
24 )
25 )
26 or any(attachments,
27 (.file_extension in~ $file_extensions_common_archives)
28 and any(file.explode(.),
29 (
30 .file_extension in~ ("html", "htm", "shtml", "dhtml")
31 or ..file_type == "html"
32 or ..content_type == "text/html"
33 )
34 and .size < 10000
35 and length(.scan.strings.strings) < 20
36 and any(recipients.to,
37 any(..scan.strings.strings,
38 strings.icontains(., ..email.email)
39 )
40 and .email.domain.valid
41 )
42 )
43 )
44 )
45 and not any(attachments,
46 any(file.parse_eml(.).attachments,
47 .content_type == "message/delivery-status"
48 )
49 )
50 // bounce-back negations
51 and not (
52 any(attachments,
53 .content_type in ("message/delivery-status", "text/calendar")
54 )
55 )
56 // negate bouncebacks from proofpoint
57 and not (
58 sender.display_name == "Mail Delivery Subsystem"
59 and strings.ends_with(headers.message_id, "pphosted.com>")
60 and any(headers.hops,
61 .index == 0 and strings.contains(.received.server.raw, "pphosted.com")
62 )
63 and any(attachments, .content_type == "message/rfc822")
64 )
65 // unsolicited or fails authentation
66 and (
67 (
68 profile.by_sender_email().prevalence in ("new", "outlier")
69 and not profile.by_sender_email().solicited
70 )
71 or (
72 profile.by_sender_email().any_messages_malicious_or_spam
73 and not profile.by_sender_email().any_messages_benign
74 )
75 or (
76 sender.email.domain.domain in $org_domains
77 and not coalesce(headers.auth_summary.dmarc.pass, false)
78 )
79 )
80
81 // negate highly trusted sender domains unless they fail DMARC authentication
82 and (
83 (
84 sender.email.domain.root_domain in $high_trust_sender_root_domains
85 and not coalesce(headers.auth_summary.dmarc.pass, false)
86 )
87 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
88 )
89
90tags:
91 - "Attack surface reduction"
92attack_types:
93 - "Credential Phishing"
94 - "Malware/Ransomware"
95tactics_and_techniques:
96 - "Evasion"
97 - "HTML smuggling"
98 - "Scripting"
99detection_methods:
100 - "Archive analysis"
101 - "File analysis"
102 - "Sender analysis"
103id: "af32ff2f-1aa8-5a54-bc50-93648f17cfcd"