HTML smuggling with atob in message body

calendar Aug 9, 2023  ·
Share on: linkedin copy

Detects if the email body HTML contains the document write or insertAdjacentHTML method and atob function call. This technique has been observed leading to credential phishing.

Sublime rule (View on GitHub)

 1name: "HTML smuggling with atob in message body"
 2description: |
 3  Detects if the email body HTML contains the document write or insertAdjacentHTML method and atob function call. 
 4  This technique has been observed leading to credential phishing.   
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  and (length(body.plain.raw) < 200 or body.plain.raw is null)
10  and regex.icontains(body.html.raw, "document.{0,10}(write|insertAdjacentHTML).{0,10}atob")  
11attack_types:
12  - "Credential Phishing"
13  - "Malware/Ransomware"
14tactics_and_techniques:
15  - "HTML smuggling"
16detection_methods:
17  - "Content analysis"
18  - "HTML analysis"
19id: "0f86851f-3ec4-50b6-ba1a-cba096642d0e"
to-top