High Severity
Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment
Description
Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.
References
type.inbound
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and any(attachments,
.file_extension in ("html", "htm")
and any(file.explode(.),
any(.scan.strings.strings,
strings.ilike(.,
// Double Base64 encoded zips
"*VUVzREJCUUFBUUFJQ*",
"*VFc0RCQlFBQVFBSU*",
"*VRXNEQkJRQUFRQUlB*",
// Reversed base64 strings double encoded zips
"*QJFUUBFUUCJERzVUV*",
"*USBFVQBFlQCR0cFV*",
"*BlUQRFUQRJkQENXRV*"
)
)
)
)
Playground
Test against your own EMLs or sample data.