HTML smuggling containing recipient email address

HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.

Sublime rule (View on GitHub)

  1name: "HTML smuggling containing recipient email address"
  2description: "HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    any(attachments,
  9        (
 10          .file_extension in~ ("html", "htm", "shtml", "dhtml")
 11          or .content_type == "message/rfc822"
 12          or .file_type == "html"
 13          or .content_type == "text/html"
 14        )
 15        and any(file.explode(.),
 16                .size < 10000
 17                and length(.scan.strings.strings) < 20
 18                and any(recipients.to,
 19                        any(..scan.strings.strings,
 20                            strings.icontains(., ..email.email)
 21                        )
 22                        and .email.domain.valid
 23                )
 24        )
 25    )
 26    or any(attachments,
 27           (.file_extension in~ $file_extensions_common_archives)
 28           and any(file.explode(.),
 29                   (
 30                     .file_extension in~ ("html", "htm", "shtml", "dhtml")
 31                     or ..file_type == "html"
 32                     or ..content_type == "text/html"
 33                   )
 34                   and .size < 10000
 35                   and length(.scan.strings.strings) < 20
 36                   and any(recipients.to,
 37                           any(..scan.strings.strings,
 38                               strings.icontains(., ..email.email)
 39                           )
 40                           and .email.domain.valid
 41                   )
 42           )
 43    )
 44  )
 45  and not any(attachments,
 46              any(file.parse_eml(.).attachments,
 47                  .content_type == "message/delivery-status"
 48              )
 49  )
 50  // bounce-back negations
 51  and not (
 52    any(attachments,
 53        .content_type in ("message/delivery-status", "text/calendar")
 54    )
 55  )
 56  // negate bouncebacks from proofpoint
 57  and not (
 58    sender.display_name == "Mail Delivery Subsystem"
 59    and strings.ends_with(headers.message_id, "pphosted.com>")
 60    and any(headers.hops,
 61            .index == 0 and strings.contains(.received.server.raw, "pphosted.com")
 62    )
 63    and any(attachments, .content_type == "message/rfc822")
 64  )
 65  // unsolicited or fails authentation
 66  and (
 67    (
 68      profile.by_sender_email().prevalence in ("new", "outlier")
 69      and not profile.by_sender_email().solicited
 70    )
 71    or (
 72      profile.by_sender_email().any_messages_malicious_or_spam
 73      and not profile.by_sender_email().any_messages_benign
 74    )
 75    or (
 76      sender.email.domain.domain in $org_domains
 77      and not coalesce(headers.auth_summary.dmarc.pass, false)
 78    )
 79  )
 80  
 81  // negate highly trusted sender domains unless they fail DMARC authentication
 82  and (
 83    (
 84      sender.email.domain.root_domain in $high_trust_sender_root_domains
 85      and not coalesce(headers.auth_summary.dmarc.pass, false)
 86    )
 87    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 88  )  
 89
 90tags:
 91  - "Attack surface reduction"
 92attack_types:
 93  - "Credential Phishing"
 94  - "Malware/Ransomware"
 95tactics_and_techniques:
 96  - "Evasion"
 97  - "HTML smuggling"
 98  - "Scripting"
 99detection_methods:
100  - "Archive analysis"
101  - "File analysis"
102  - "Sender analysis"
103id: "af32ff2f-1aa8-5a54-bc50-93648f17cfcd"

Related rules

to-top