Low reputation link to auto-downloaded HTML file with smuggling indicators

Message contains a low reputation link to an automatically downloaded HTML file that contains HTML smuggling indicators, such as atob function use, excessive hexadecimal (0x) usage, etc.

Sublime rule (View on GitHub)

  1name: "Low reputation link to auto-downloaded HTML file with smuggling indicators"
  2description: "Message contains a low reputation link to an automatically downloaded HTML file that contains HTML smuggling indicators, such as atob function use, excessive hexadecimal (0x) usage, etc."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and any(body.links,
  8           (
  9             .href_url.domain.root_domain not in $tranco_1m
 10             or .href_url.domain.domain in $free_file_hosts
 11             or .href_url.domain.root_domain in $free_file_hosts
 12             or .href_url.domain.root_domain in $free_subdomain_hosts
 13             or .href_url.domain.domain in $url_shorteners
 14             or .href_url.domain.domain in $social_landing_hosts
 15             or 
 16   
 17             // mass mailer link, masks the actual URL
 18             .href_url.domain.root_domain in (
 19               "hubspotlinks.com",
 20               "mandrillapp.com",
 21               "sendgrid.net",
 22               "rs6.net"
 23             )
 24   
 25             // Google AMP redirect
 26             or (
 27               .href_url.domain.sld == "google"
 28               and strings.starts_with(.href_url.path, "/amp/")
 29             )
 30           )
 31   
 32           // exclude sources of potential FPs
 33           and (
 34             .href_url.domain.root_domain not in (
 35               "svc.ms",
 36               "sharepoint.com",
 37               "1drv.ms",
 38               "microsoft.com",
 39               "aka.ms",
 40               "msftauthimages.net",
 41               "mimecastprotect.com",
 42               "office.com"
 43             )
 44             or any(body.links, .href_url.domain.domain in $free_file_hosts)
 45           )
 46           and .href_url.domain.root_domain not in $org_domains
 47           and .href_url.domain.valid 
 48   )
 49  and any(body.links,
 50          any(ml.link_analysis(.).files_downloaded,
 51              any(file.explode(.),
 52                  .scan.entropy.entropy >= 5
 53                  and (
 54                    length(filter(.scan.javascript.identifiers,
 55                                  strings.like(.,
 56                                               "document",
 57                                               "write",
 58                                               "atob",
 59                                               "onload"
 60                                  )
 61                           )
 62                    ) > 2
 63                    // usage: document['write'](atob)
 64                    or any(.scan.strings.strings,
 65                           regex.icontains(., "document.{0,10}write.{0,10}atob")
 66                    )
 67                    or any(.scan.strings.strings, strings.icount(., "_0x") > 50)
 68                    // usage: some_var = atob();
 69                    or any(.scan.strings.strings,
 70                           regex.icontains(., "=.?atob.*;")
 71                    )
 72                    // usage: atob(atob
 73                    or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
 74                    // usage: eval(atob)
 75                    or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
 76                    // usage: atob(_0x)
 77                    or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
 78                    // usage: obfuscating "atob"
 79                    or any(.scan.javascript.identifiers,
 80                           strings.ilike(., '*ato\u0062*')
 81                    )
 82                    // usage: document.head.insertAdjacentHTML("beforeend", atob(...
 83                    or any(.scan.strings.strings,
 84                           strings.ilike(., "*document*insertAdjacentHTML*atob*")
 85                    )
 86                  )
 87              )
 88          )
 89  )
 90  and (
 91    not profile.by_sender().solicited
 92    or (
 93      profile.by_sender().any_messages_malicious_or_spam
 94      and not profile.by_sender().any_messages_benign
 95    )
 96  )  
 97
 98attack_types:
 99  - "Credential Phishing"
100tactics_and_techniques:
101  - "Evasion"
102  - "Free file host"
103  - "Free subdomain host"
104  - "HTML smuggling"
105  - "Impersonation: Brand"
106  - "Open redirect"
107  - "Social engineering"
108detection_methods:
109  - "Content analysis"
110  - "File analysis"
111  - "HTML analysis"
112  - "Javascript analysis"
113  - "Sender analysis"
114  - "URL analysis"
115id: "339676c6-cdac-5929-aa02-c44a346e5ef1"
to-top