HTML smuggling containing recipient email address
HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.
Sublime rule (View on GitHub)
1name: "HTML smuggling containing recipient email address"
2description: "HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 any(attachments,
9 (
10 .file_extension in~ ("html", "htm", "shtml", "dhtml")
11 or .content_type == "message/rfc822"
12 or .file_type == "html"
13 or .content_type == "text/html"
14 )
15 and any(file.explode(.),
16 .size < 10000
17 and length(.scan.strings.strings) < 20
18 and any(recipients.to,
19 any(..scan.strings.strings,
20 strings.icontains(., ..email.email)
21 )
22 and .email.domain.valid
23 )
24 )
25 )
26 or any(attachments,
27 (.file_extension in~ $file_extensions_common_archives)
28 and any(file.explode(.),
29 (
30 .file_extension in~ ("html", "htm", "shtml", "dhtml")
31 or ..file_type == "html"
32 or ..content_type == "text/html"
33 )
34 and .size < 10000
35 and length(.scan.strings.strings) < 20
36 and any(recipients.to,
37 any(..scan.strings.strings,
38 strings.icontains(., ..email.email)
39 )
40 and .email.domain.valid
41 )
42 )
43 )
44 )
45 and not any(attachments,
46 any(file.parse_eml(.).attachments,
47 .content_type == "message/delivery-status"
48 )
49 )
50 // bounce-back negations
51 and not (
52 any(attachments,
53 .content_type in ("message/delivery-status", "text/calendar")
54 )
55 )
56 and (
57 not profile.by_sender().solicited
58 or (
59 profile.by_sender().any_messages_malicious_or_spam
60 and not profile.by_sender().any_false_positives
61 )
62 )
63tags:
64 - "Attack surface reduction"
65attack_types:
66 - "Credential Phishing"
67 - "Malware/Ransomware"
68tactics_and_techniques:
69 - "Evasion"
70 - "HTML smuggling"
71 - "Scripting"
72detection_methods:
73 - "Archive analysis"
74 - "File analysis"
75 - "Sender analysis"
76id: "af32ff2f-1aa8-5a54-bc50-93648f17cfcd"