High Severity
Attachment: EML file contains HTML attachment with login portal indicators
Description
Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Oct 19th, 2023
Feed Source
Sublime Core Feed
Source
type.inbound
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and not regex.imatch(subject.subject, "(undeliverable|read:).*")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
(length(headers.references) == 0 and headers.in_reply_to is null)
or (
not strings.istarts_with(subject.subject, "re:")
and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to"))
)
)
and any(attachments,
.content_type == "message/rfc822"
and any(file.explode(.),
// suspicious strings found in javascript
length(filter(.scan.javascript.strings,
strings.ilike(.,
"*username*",
"*login-form*",
"*email-form*",
"*Incorrect password. Please try again.*",
"*Password Incomplete, please try again*"
)
)
) >= 3
or (
// suspicious strings found outside of javascript, but binexplode'd file still of HTML type
.flavors.mime in~ ("text/html", "text/plain")
and 3 of (
any(.scan.strings.strings, strings.ilike(., "*username*")),
any(.scan.strings.strings, strings.ilike(., "*login-form*")),
any(.scan.strings.strings, strings.ilike(., "*email-form*")),
any(.scan.strings.strings,
strings.ilike(., "*Incorrect password. Please try again.*")
),
any(.scan.strings.strings,
strings.ilike(., "*Password Incomplete, please try again*")
)
)
)
or
//Known phishing obfuscation
2 of (
// Enter password
any(.scan.strings.strings,
strings.ilike(.,
"*Enter password*"
)
),
// Forgotten my password
any(.scan.strings.strings,
strings.ilike(.,
"*Forgotten my password*"
)
),
// Sign in
any(.scan.strings.strings,
strings.ilike(., "*Sign in*")
)
)
)
)
Playground
Test against your own EMLs or sample data.