HTML smuggling containing recipient email address

HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.

Sublime rule (View on GitHub)

 1name: "HTML smuggling containing recipient email address"
 2description: "HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and type.inbound
 8  and (
 9    any(attachments,
10        (
11          .file_extension in~ ("html", "htm", "shtml", "dhtml")
12          or .content_type == "message/rfc822"
13          or .file_type == "html"
14          or .content_type == "text/html"
15        )
16        and any(file.explode(.),
17                .size < 10000
18                and length(.scan.strings.strings) < 20
19                and any(recipients.to,
20                        any(..scan.strings.strings,
21                            strings.icontains(., ..email.email)
22                        )
23                        and .email.domain.valid
24                )
25        )
26    )
27    or any(attachments,
28           (.file_extension in~ $file_extensions_common_archives)
29           and any(file.explode(.),
30                   (
31                     .file_extension in~ ("html", "htm", "shtml", "dhtml")
32                     or ..file_type == "html"
33                     or ..content_type == "text/html"
34                   )
35                   and .size < 10000
36                   and length(.scan.strings.strings) < 20
37                   and any(recipients.to,
38                           any(..scan.strings.strings,
39                               strings.icontains(., ..email.email)
40                           )
41                           and .email.domain.valid
42                   )
43           )
44    )
45  )
46  and not any(attachments,
47            any(file.parse_eml(.).attachments,
48                .content_type == "message/delivery-status"
49            )
50      )
51  // bounce-back negations
52  and (
53    (
54      strings.like(sender.email.local_part,
55                   "*postmaster*",
56                   "*mailer-daemon*",
57                   "*administrator*"
58      )
59      and not any(attachments,
60                  .content_type in (
61                    "message/rfc822",
62                    "message/delivery-status",
63                    "text/calendar"
64                  )
65      )
66    )
67    or not strings.like(sender.email.local_part,
68                        "*postmaster*",
69                        "*mailer-daemon*",
70                        "*administrator*"
71    )
72  )
73  and (
74    not profile.by_sender().solicited
75    or (
76      profile.by_sender().any_messages_malicious_or_spam
77      and not profile.by_sender().any_false_positives
78    )
79  )  
80attack_types:
81  - "Credential Phishing"
82  - "Malware/Ransomware"
83tactics_and_techniques:
84  - "Evasion"
85  - "HTML smuggling"
86  - "Scripting"
87detection_methods:
88  - "Archive analysis"
89  - "File analysis"
90  - "Sender analysis"
91id: "af32ff2f-1aa8-5a54-bc50-93648f17cfcd"
to-top