• Sublime Core Feed
High Severity

Attachment: EML file contains HTML attachment with login portal indicators

Labels

Credential Phishing
Evasion
HTML smuggling
Content analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Sender analysis

Description

Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Oct 19th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and not regex.imatch(subject.subject, "(undeliverable|read:).*")
and not any(attachments, .content_type == "message/delivery-status")

// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
  (length(headers.references) == 0 and headers.in_reply_to is null)
  or (
    not strings.istarts_with(subject.subject, "re:")
    and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
    and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to"))
  )
)
and any(attachments,
        .content_type == "message/rfc822"
        and any(file.explode(.),
                // suspicious strings found in javascript
                length(filter(.scan.javascript.strings,
                              strings.ilike(.,
                                            "*username*",
                                            "*login-form*",
                                            "*email-form*",
                                            "*Incorrect password. Please try again.*",
                                            "*Password Incomplete, please try again*"
                              )
                       )
                ) >= 3
                or (

                  // suspicious strings found outside of javascript, but binexplode'd file still of HTML type
                  .flavors.mime in~ ("text/html", "text/plain")
                  and 3 of (
                    any(.scan.strings.strings, strings.ilike(., "*username*")),
                    any(.scan.strings.strings, strings.ilike(., "*login-form*")),
                    any(.scan.strings.strings, strings.ilike(., "*email-form*")),
                    any(.scan.strings.strings,
                        strings.ilike(., "*Incorrect password. Please try again.*")
                    ),
                    any(.scan.strings.strings,
                        strings.ilike(., "*Password Incomplete, please try again*")
                    )
                  )
                )
                or 

                //Known phishing obfuscation
                2 of (
                  // Enter password
                  any(.scan.strings.strings,
                      strings.ilike(.,
                                    "*Enter passwor&#100*"
                      )
                  ),
                  // Forgotten my password
                  any(.scan.strings.strings,
                      strings.ilike(.,
                                    "*Forgotten my passwor&#100*"
                      )
                  ),
                  // Sign in
                  any(.scan.strings.strings,
                      strings.ilike(., "*Sign i&#110*")
                  )
                )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started