HTML smuggling containing recipient email address

HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.

Sublime rule (View on GitHub)

 1name: "HTML smuggling containing recipient email address"
 2description: "HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any(attachments,
 9        (
10          .file_extension in~ ("html", "htm", "shtml", "dhtml")
11          or .content_type == "message/rfc822"
12          or .file_type == "html"
13          or .content_type == "text/html"
14        )
15        and any(file.explode(.),
16                .size < 10000
17                and length(.scan.strings.strings) < 20
18                and any(recipients.to,
19                        any(..scan.strings.strings,
20                            strings.icontains(., ..email.email)
21                        )
22                        and .email.domain.valid
23                )
24        )
25    )
26    or any(attachments,
27           (.file_extension in~ $file_extensions_common_archives)
28           and any(file.explode(.),
29                   (
30                     .file_extension in~ ("html", "htm", "shtml", "dhtml")
31                     or ..file_type == "html"
32                     or ..content_type == "text/html"
33                   )
34                   and .size < 10000
35                   and length(.scan.strings.strings) < 20
36                   and any(recipients.to,
37                           any(..scan.strings.strings,
38                               strings.icontains(., ..email.email)
39                           )
40                           and .email.domain.valid
41                   )
42           )
43    )
44  )
45  and not any(attachments,
46            any(file.parse_eml(.).attachments,
47                .content_type == "message/delivery-status"
48            )
49      )
50  // bounce-back negations
51  and not (
52    any(attachments,
53        .content_type in ("message/delivery-status", "text/calendar")
54    )
55  )
56  // negate bouncebacks from proofpoint
57  and not (
58    sender.display_name == "Mail Delivery Subsystem"
59    and strings.ends_with(headers.message_id, "pphosted.com>")
60    and any(headers.hops,
61            .index == 0 and strings.contains(.received.server.raw, "pphosted.com")
62    )
63    and any(attachments, .content_type == "message/rfc822")
64  )
65  and (
66    not profile.by_sender().solicited
67    or (
68      profile.by_sender().any_messages_malicious_or_spam
69      and not profile.by_sender().any_false_positives
70    )
71  )  
72tags:
73  - "Attack surface reduction"
74attack_types:
75  - "Credential Phishing"
76  - "Malware/Ransomware"
77tactics_and_techniques:
78  - "Evasion"
79  - "HTML smuggling"
80  - "Scripting"
81detection_methods:
82  - "Archive analysis"
83  - "File analysis"
84  - "Sender analysis"
85id: "af32ff2f-1aa8-5a54-bc50-93648f17cfcd"

Related rules

to-top