• Sublime Core Feed
Medium Severity

Attachment: Any HTML file within archive (unsolicited)

Labels

Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
Archive analysis
File analysis

Description

Recursively scans archives to detect HTML files from unsolicited senders.

HTML files can be used for HTML smuggling and embedded in archives to evade detection.

References

Sublime Security
Created Aug 17th, 2023 • Last updated Jan 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        .file_extension in~ $file_extensions_common_archives
        and any(file.explode(.),
                .depth > 0 and .file_extension in~ ("html", "htm")
        )
)
and (
  not profile.by_sender().solicited
  or (profile.by_sender().any_messages_malicious_or_spam)
)
and not profile.by_sender().any_messages_benign
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started