Medium Severity
Attachment: Any HTML file within archive (unsolicited)
Description
Recursively scans archives to detect HTML files from unsolicited senders.
HTML files can be used for HTML smuggling and embedded in archives to evade detection.
Sublime Security
Created Aug 17th, 2023 • Last updated Nov 14th, 2023
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .depth > 0 and .file_extension in~ ("html", "htm"))
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
)
)
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.