Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment

calendar Aug 24, 2023  ·
Share on: linkedin copy

RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.

Sublime rule (View on GitHub)

 1name: "Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment"
 2description: |
 3  RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations.
 4  These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.  
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9
10  // RFP/RFQ language
11  and 1 of (
12    regex.icontains(body.current_thread.text,
13                    '(discuss.{0,15}purchas(e|ing))'
14    ),
15    regex.icontains(body.current_thread.text,
16                    '(sign(ed?)|view).{0,10}(purchase order)|Request for a Quot(e|ation)'
17    ),
18    regex.icontains(body.current_thread.text, '(please|kindly).{0,30}quote'),
19    regex.icontains(subject.subject, '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'),
20    any(attachments, regex.icontains(.file_name, "(purchase.?order|Quot(e|ation))")),
21    any(ml.nlu_classifier(body.current_thread.text).entities,
22        .name == "request"
23    )
24    and any(ml.nlu_classifier(body.current_thread.text).entities,
25            .name == "urgency"
26    ),
27    any(ml.nlu_classifier(body.current_thread.text).tags,
28        .name == "purchase_order" and .confidence == "high"
29    )
30  )
31
32  // HTML smuggling
33  and any(attachments,
34          (
35            .file_extension in~ ("html", "htm", "shtml", "dhtml")
36            or .file_extension in~ $file_extensions_common_archives
37            or .file_type == "html"
38          )
39          and any(file.explode(.),
40                  (
41                    length(filter(.scan.javascript.identifiers,
42                                  strings.like(., "document", "write", "atob")
43                           )
44                    ) == 3
45                    // usage: document['write'](atob)
46                    or any(.scan.strings.strings, strings.ilike(., "*document*write*atob*"))
47                    // usage: some_var = atob();
48                    or any(.scan.strings.strings, strings.ilike(., "*=*atob*;"))
49                    // usage: obfuscating "atob"
50                    or any(.scan.javascript.identifiers, strings.ilike(., '*ato\u0062*'))
51                    // usage: document.head.insertAdjacentHTML("beforeend", atob(...
52                    or any(.scan.strings.strings,
53                           strings.ilike(.,
54                                         "*document*write*atob*",
55                                         "*document*insertAdjacentHTML*atob*"
56                           )
57                    )
58                  )
59          )
60  )  
61attack_types:
62  - "Credential Phishing"
63tactics_and_techniques:
64  - "Evasion"
65detection_methods:
66  - "Content analysis"
67  - "File analysis"
68  - "HTML analysis"
69  - "Javascript analysis"
70  - "Natural Language Understanding"
71  - "URL analysis"
72id: "a47a5755-a698-5daf-98b5-21cdcf893ee2"
to-top