Attachment: SVG file with HTML entity encoded href attributes

calendar May 20, 2026  ·
Share on: linkedin copy

Detects SVG file attachments containing href attributes with three or more consecutive HTML numeric entity references, a technique used to obfuscate malicious URLs and evade security scanning.

Sublime rule (View on GitHub)

 1name: "Attachment: SVG file with HTML entity encoded href attributes"
 2description: "Detects SVG file attachments containing href attributes with three or more consecutive HTML numeric entity references, a technique used to obfuscate malicious URLs and evade security scanning."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension == "svg"
10            or .content_type in ("image/svg+xml")
11            or .file_type == "svg"
12          )
13          // href value starting with 3+ HTML numeric entity references
14          and regex.icontains(file.parse_text(.,
15                                              encodings=[
16                                                "ascii",
17                                                "utf8",
18                                                "utf16-le"
19                                              ]
20                              ).text,
21                              'href\s*=\s*["\x27]\s*(?:&#x?[0-9a-f]+;\s*){3,}'
22          )
23  )  
24attack_types:
25  - "Malware/Ransomware"
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Evasion"
29  - "HTML smuggling"
30detection_methods:
31  - "File analysis"
32  - "Content analysis"
33id: "cc527e8e-893c-50b2-957f-2a205712a77f"
to-top