HTML smuggling containing recipient email address
HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.
Sublime rule (View on GitHub)
1name: "HTML smuggling containing recipient email address"
2description: "HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 any(attachments,
9 (
10 .file_extension in~ ("html", "htm", "shtml", "dhtml")
11 or .content_type == "message/rfc822"
12 or .file_type == "html"
13 or .content_type == "text/html"
14 )
15 and any(file.explode(.),
16 .size < 10000
17 and length(.scan.strings.strings) < 20
18 and any(recipients.to,
19 any(..scan.strings.strings,
20 strings.icontains(., ..email.email)
21 )
22 and .email.domain.valid
23 )
24 )
25 )
26 or any(attachments,
27 (.file_extension in~ $file_extensions_common_archives)
28 and any(file.explode(.),
29 (
30 .file_extension in~ ("html", "htm", "shtml", "dhtml")
31 or ..file_type == "html"
32 or ..content_type == "text/html"
33 )
34 and .size < 10000
35 and length(.scan.strings.strings) < 20
36 and any(recipients.to,
37 any(..scan.strings.strings,
38 strings.icontains(., ..email.email)
39 )
40 and .email.domain.valid
41 )
42 )
43 )
44 )
45 and not any(attachments,
46 any(file.parse_eml(.).attachments,
47 .content_type == "message/delivery-status"
48 )
49 )
50 // bounce-back negations
51 and not (
52 any(attachments,
53 .content_type in ("message/delivery-status", "text/calendar")
54 )
55 )
56 // negate bouncebacks from proofpoint
57 and not (
58 sender.display_name == "Mail Delivery Subsystem"
59 and strings.ends_with(headers.message_id, "pphosted.com>")
60 and any(headers.hops,
61 .index == 0 and strings.contains(.received.server.raw, "pphosted.com")
62 )
63 and any(attachments, .content_type == "message/rfc822")
64 )
65 and (
66 not profile.by_sender().solicited
67 or (
68 profile.by_sender().any_messages_malicious_or_spam
69 and not profile.by_sender().any_false_positives
70 )
71 )
72tags:
73 - "Attack surface reduction"
74attack_types:
75 - "Credential Phishing"
76 - "Malware/Ransomware"
77tactics_and_techniques:
78 - "Evasion"
79 - "HTML smuggling"
80 - "Scripting"
81detection_methods:
82 - "Archive analysis"
83 - "File analysis"
84 - "Sender analysis"
85id: "af32ff2f-1aa8-5a54-bc50-93648f17cfcd"