HTML smuggling containing recipient email address
HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.
Sublime rule (View on GitHub)
1name: "HTML smuggling containing recipient email address"
2description: "HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 any(attachments,
9 (
10 .file_extension in~ ("html", "htm", "shtml", "dhtml")
11 or .content_type == "message/rfc822"
12 or .file_type == "html"
13 or .content_type == "text/html"
14 )
15 and any(file.explode(.),
16 .size < 10000
17 and length(.scan.strings.strings) < 20
18 and any(recipients.to,
19 any(..scan.strings.strings, strings.icontains(., ..email.email)) and .email.domain.valid
20 )
21 )
22 )
23 or any(attachments,
24 (.file_extension in~ $file_extensions_common_archives)
25 and any(file.explode(.),
26 (
27 .file_extension in~ ("html", "htm", "shtml", "dhtml")
28 or ..file_type == "html"
29 or ..content_type == "text/html"
30 )
31 and .size < 10000
32 and length(.scan.strings.strings) < 20
33 and any(recipients.to,
34 any(..scan.strings.strings, strings.icontains(., ..email.email)) and .email.domain.valid
35 )
36 )
37 )
38 )
39 and (
40 profile.by_sender().prevalence in ("new", "outlier")
41 or (
42 profile.by_sender().any_messages_malicious_or_spam
43 and not profile.by_sender().any_false_positives
44 )
45 )
46attack_types:
47 - "Credential Phishing"
48 - "Malware/Ransomware"
49tactics_and_techniques:
50 - "Evasion"
51 - "HTML smuggling"
52 - "Scripting"
53detection_methods:
54 - "Archive analysis"
55 - "File analysis"
56 - "Sender analysis"
57id: "af32ff2f-1aa8-5a54-bc50-93648f17cfcd"