Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.

HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.

A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot.

A link in the body of the email downloads a file from a site that uses Adobe branding as employed by threat actors, such as Qakbot.

A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.

Recursively scans files and archives to detect HTML smuggling techniques.

Detects if the email body HTML contains the document write or insertAdjacentHTML method and atob function call. This technique has been observed leading to credential phishing.

Recursively scans files and archives to detect HTML smuggling techniques.

Recursively scans files and archives to detect indicators of login portals implemented in HTML files. This is a known credential theft technique used by threat actors.

Scans HTML files to detect HTML smuggling techniques impersonating a Microsoft login page.

Recursively scans files and archives to detect HTML smuggling techniques.

HTML attachmemt contains a base-64 encoded executable.

HTML attachment contains a base-64 encoded ISO. This is a known TTP for multiple threat actors.

Recursively scans files and archives to detect HTML smuggling techniques.

Recursively scans files and archives to detect HTML smuggling techniques.

Recursively scans files and archives to detect HTML smuggling using hex-encoded string content.

Recursively scans files and archives to detect HTML smuggling techniques.

Recursively scans files and archives to detect HTML smuggling techniques.

Potential HTML smuggling. The RC4 algorithm is used within inline JavaScript to decrypt the payload on-the-fly.

Potential HTML obfuscation attack based on suspicious JavaScript identifiers. Some attackers may use obfuscation techniques such as ROT13 to bypass email security filters. This rule may be expanded to inspect HTML attachments for other suspicious identifiers.

Recursively scans files and archives to detect HTML smuggling techniques.

Recursively scans files and archives to detect HTML smuggling techniques.

A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.

Recursively explodes auto-downloaded files within archives to detect these file types.

This technique has been used by known threat actors in the wild.

Potential HTML smuggling attacks from new senders. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.

Potential HTML smuggling attacks in unsolicited messages. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.