High Severity
Attachment: EML containing a base64 encoded script
Description
Attached EML contains a base64 encoded script in the message body.
References
No references.
Sublime Security
Created Jan 30th, 2024 • Last updated Jan 30th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and length(body.current_thread.text) < 1000
and any(attachments,
(.content_type == "message/rfc822" or .file_extension == "eml")
and strings.ilike(file.parse_eml(.).body.html.raw, "*script*data:text/html;base64*")
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and not any(attachments, .content_type == "message/delivery-status")
Playground
Test against your own EMLs or sample data.