type.inbound
and any(attachments,
(
// HTML file formats including svg, shtml, xht, etc.
regex.imatch(.file_extension, '^([sdx]{0,1}ht[ml]{0,2}|svgz?)') or
.file_type == "html"
) and
any(file.explode(.),
// JavaScript content present in the HTML file
any(.flavors.yara, . == 'javascript_file') and
// File System API elements for:
// - installing event listener for file/dir drop (not essential to attack)
// - getting handle to file/dir
// - requesting permissions to read and/or write to file
// - reading file content
length(filter(['addEventListener', 'requestPermission', 'getAsFileSystemHandle', 'getFile'],
. in ..scan.javascript.identifiers
)) >= 3 and
// Elements for:
// - installing event listener to trigger on file dragged and dropped onto page
// - one of read/write permission combinations
any(['drop', 'read', 'readwrite'],
. in ..scan.javascript.strings
)
)
)
and (
(
not profile.by_sender_email().solicited
and profile.by_sender_email().prevalence in ("new", "outlier")
)
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
or sender.email.domain.domain == "delivrto.me"
)
Playground
Test against your own EMLs or sample data.