Low reputation link to auto-downloaded HTML file with smuggling indicators
Message contains a low reputation link to an automatically downloaded HTML file that contains HTML smuggling indicators, such as atob function use, excessive hexadecimal (0x) usage, etc.
Sublime rule (View on GitHub)
1name: "Low reputation link to auto-downloaded HTML file with smuggling indicators"
2description: "Message contains a low reputation link to an automatically downloaded HTML file that contains HTML smuggling indicators, such as atob function use, excessive hexadecimal (0x) usage, etc."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(body.links,
8 (
9 .href_url.domain.root_domain not in $tranco_1m
10 or .href_url.domain.domain in $free_file_hosts
11 or .href_url.domain.root_domain in $free_file_hosts
12 or .href_url.domain.root_domain in $free_subdomain_hosts
13 or .href_url.domain.domain in $url_shorteners
14 or
15
16 // mass mailer link, masks the actual URL
17 .href_url.domain.root_domain in (
18 "hubspotlinks.com",
19 "mandrillapp.com",
20 "sendgrid.net",
21 "rs6.net"
22 )
23
24 // Google AMP redirect
25 or (
26 .href_url.domain.sld == "google"
27 and strings.starts_with(.href_url.path, "/amp/")
28 )
29 )
30
31 // exclude sources of potential FPs
32 and (
33 .href_url.domain.root_domain not in (
34 "svc.ms",
35 "sharepoint.com",
36 "1drv.ms",
37 "microsoft.com",
38 "aka.ms",
39 "msftauthimages.net",
40 "mimecastprotect.com",
41 "office.com"
42 )
43 or any(body.links, .href_url.domain.domain in $free_file_hosts)
44 )
45 and .href_url.domain.root_domain not in $org_domains
46 and .href_url.domain.valid
47 )
48 and any(body.links,
49 any(ml.link_analysis(.).files_downloaded,
50 any(file.explode(.),
51 .scan.entropy.entropy >= 5
52 and (
53 length(filter(.scan.javascript.identifiers,
54 strings.like(.,
55 "document",
56 "write",
57 "atob",
58 "onload"
59 )
60 )
61 ) > 2
62 // usage: document['write'](atob)
63 or any(.scan.strings.strings,
64 regex.icontains(., "document.{0,10}write.{0,10}atob")
65 )
66 or any(.scan.strings.strings, strings.icount(., "_0x") > 50)
67 // usage: some_var = atob();
68 or any(.scan.strings.strings,
69 regex.icontains(., "=.?atob.*;")
70 )
71 // usage: atob(atob
72 or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
73 // usage: eval(atob)
74 or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
75 // usage: atob(_0x)
76 or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
77 // usage: obfuscating "atob"
78 or any(.scan.javascript.identifiers,
79 strings.ilike(., '*ato\u0062*')
80 )
81 // usage: document.head.insertAdjacentHTML("beforeend", atob(...
82 or any(.scan.strings.strings,
83 strings.ilike(., "*document*insertAdjacentHTML*atob*")
84 )
85 )
86 )
87 )
88 )
89 and (
90 not profile.by_sender().solicited
91 or (
92 profile.by_sender().any_messages_malicious_or_spam
93 and not profile.by_sender().any_false_positives
94 )
95 )
96
97attack_types:
98 - "Credential Phishing"
99tactics_and_techniques:
100 - "Evasion"
101 - "Free file host"
102 - "Free subdomain host"
103 - "HTML smuggling"
104 - "Impersonation: Brand"
105 - "Open redirect"
106 - "Social engineering"
107detection_methods:
108 - "Content analysis"
109 - "File analysis"
110 - "HTML analysis"
111 - "Javascript analysis"
112 - "Sender analysis"
113 - "URL analysis"
114id: "339676c6-cdac-5929-aa02-c44a346e5ef1"