High Severity

Attachment: Archive containing HTML file with file scheme link

Labels

Credential Phishing

Evasion

Description

Attached archive contains an HTLM file with a file:// link, likely pointing to an SMB server. This technique can be used to steal NTLM hashes of users who open the HTML file. Known technique of TA577.

References

https://www.bleepingcomputer.com/news/security/hackers-steal-windows-ntlm-authentication-hashes-in-phishing-attacks/

Sublime Security

Created Mar 7th, 2024 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        .file_extension in $file_extensions_common_archives
        and any(file.explode(.),
                (
                  .file_extension in~ ("html", "htm", "shtml", "dhtml")
                  or .flavors.mime == "text/html"
                  or any(.flavors.yara, . == "html_file")
                )
                and any(.scan.url.urls, .scheme == "file")
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.