• Sublime Core Feed
High Severity

Attachment: EML containing a base64 encoded script

Labels

Credential Phishing
Evasion
HTML smuggling
Scripting
Social engineering
File analysis
HTML analysis
Sender analysis

Description

Attached EML contains a base64 encoded script in the message body.

References

No references.

Sublime Security
Created Jan 30th, 2024 • Last updated Jan 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.current_thread.text) < 1000
and any(attachments,
        (.content_type == "message/rfc822" or .file_extension == "eml")
        and strings.ilike(file.parse_eml(.).body.html.raw,
                          "*script*data:text/html;base64*"
        )
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
                     "*postmaster*",
                     "*mailer-daemon*",
                     "*administrator*"
)
and not any(attachments, .content_type == "message/delivery-status")
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started