• Sublime Core Feed
Medium Severity

Attachment: EML file with HTML attachment (unsolicited)

Labels

Description

Detects HTML files in EML attachments from unsolicited senders.

Reduces attack surface against HTML smuggling.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Nov 14th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

// has EML attachment
and any(attachments,
        .content_type == "message/rfc822"
        and any(file.explode(.),

                // HTML file inside EML attachment
                // we've seen files named ".htm.", which results in an empty
                // .file_extension, so instead we look at .file_name
                // they should be rare enough in EML attachments to not cause
                // extraneous FPs
                strings.ilike(.file_name, "*htm*")

        // optional: we can add additional signals here if necessary
        // identify at least one additional suspicious signal in the message
        // and (
        //     // html smuggling signals
        //     any(.scan.javascript.identifiers, . == "unescape") or
        //     any(.scan.strings.strings, regex.icontains(., "eval")) or
        //     // more signals here if needed

        //     // commonly abused sender TLD
        //     strings.ilike(sender.email.domain.tld, "*.jp")
        // )
        )
)

// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started