• Sublime Core Feed
High Severity

Attachment: EML containing a base64 encoded script

Labels

Description

Attached EML contains a base64 encoded script in the message body.

References

No references.

Sublime Security
Created Jan 30th, 2024 • Last updated Jan 30th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.current_thread.text) < 1000
and any(attachments,
        (.content_type == "message/rfc822" or .file_extension == "eml")
        and strings.ilike(file.parse_eml(.).body.html.raw, "*script*data:text/html;base64*")
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and not any(attachments, .content_type == "message/delivery-status")

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started