• Sublime Core Feed
High Severity

Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment

Labels

Malware/Ransomware
Credential Phishing
Evasion
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
HTML analysis
Sender analysis

Description

Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.

References

@ajpc500
Created Aug 17th, 2023 • Last updated Oct 4th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
and any(attachments,
        .file_extension in ("html", "htm")
        and any(file.explode(.),
                any(.scan.strings.strings,
                    strings.ilike(.,
                                  // Double Base64 encoded zips
                                  "*VUVzREJCUUFBUUFJQ*",
                                  "*VFc0RCQlFBQVFBSU*",
                                  "*VRXNEQkJRQUFRQUlB*",
                                  // Reversed base64 strings double encoded zips
                                  "*QJFUUBFUUCJERzVUV*",
                                  "*USBFVQBFlQCR0cFV*",
                                  "*BlUQRFUQRJkQENXRV*"
                    )
                )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started