Medium Severity

Attachment: HTML smuggling with WebAssembly (Wasm)

Labels

No labels.

Description

HTML attachment contains code associated with compiling, loading or executing WebAssembly (Wasm).

References

https://delivr.to/payloads?id=47af8e7b-9511-4e8f-adc2-03dcaf938498

https://delivr.to/payloads?id=126f0f5f-f2da-488e-9c82-af0aea90f154

https://delivr.to/payloads?id=56eddccc-63a9-42ec-928a-f6f598c93dd8

@delivr_to

Created Mar 4th, 2024 • Last updated Apr 22nd, 2024

Feed Source

delivr.to Feed

Source

GitHub

type.inbound
and (
  (
    not profile.by_sender_email().solicited
    and profile.by_sender_email().prevalence in ("new", "outlier")
  )
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_false_positives
  )
  or sender.email.domain.domain == "delivrto.me"
)
and any(attachments,
  (
    regex.imatch(.file_extension, '^[sdx]{0,1}ht[ml]{0,2}$')
    or .file_extension in~ $file_extensions_common_archives
    or .file_type == "html"
  )
  and any(file.explode(.),
    any(.scan.strings.strings,
      strings.ilike(.,
        "*new WebAssembly.Instance*",
        "*WebAssembly.instantiate*",
        "*WebAssembly.compile*",
        "*wbg_load*",
        "*wbg_init*",
        "*bmV3IFdlYkFzc2VtYmx5Lkluc3RhbmNl*",
        "*d2JnX2xvYWQ*",
        "*d2JnX2luaXQ*"
      )
    )
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.