Attachment: HTML smuggling containing recipient email address

 1name: "Attachment: HTML smuggling containing recipient email address"
 2description: "HTML attachment is small and contains a recipients email address."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any(attachments,
 9        (
10          .file_extension in~ ("html", "htm", "shtml", "dhtml")
11          or .file_type == "html"
12          or .content_type == "text/html"
13        )
14        and any(file.explode(.),
15                .size < 10000
16                and length(.scan.strings.strings) < 20
17                and any(recipients.to,
18                        any(..scan.strings.strings, strings.icontains(., ..email.email))
19                )
20        )
21    )
22    or any(attachments,
23           (.file_extension in~ $file_extensions_common_archives)
24           and any(file.explode(.),
25                   (
26                     .file_extension in~ ("html", "htm", "shtml", "dhtml")
27                     or ..file_type == "html"
28                     or ..content_type == "text/html"
29                   )
30                   and .size < 10000
31                   and length(.scan.strings.strings) < 20
32                   and any(recipients.to,
33                           any(..scan.strings.strings, strings.icontains(., ..email.email))
34                   )
35           )
36    )
37  )
38  // first-time sender
39  and (
40    profile.by_sender().prevalence in ("new", "outlier")
41    or (
42      profile.by_sender().any_messages_malicious_or_spam
43      and not profile.by_sender().any_false_positives
44    )
45  )  
46attack_types:
47  - "Credential Phishing"
48  - "Malware/Ransomware"
49tactics_and_techniques:
50  - "Evasion"
51  - "HTML smuggling"
52  - "Scripting"
53detection_methods:
54  - "Archive analysis"
55  - "File analysis"
56  - "Sender analysis"
57id: "af32ff2f-1aa8-5a54-bc50-93648f17cfcd"