Medium Severity
Attachment: EML file with HTML attachment (unsolicited)
Description
Detects HTML files in EML attachments from unsolicited senders.
Reduces attack surface against HTML smuggling.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Mar 28th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
// has EML attachment
and any(attachments,
(.file_extension == "eml" or .content_type == "message/rfc822")
and any(file.parse_eml(.).attachments,
// HTML file inside EML attachment
// we've seen files named ".htm.", which results in an empty
// .file_extension, so instead we look at .file_name
// they should be rare enough in EML attachments to not cause
// extraneous FPs
strings.ilike(.file_name, "*htm*")
or .file_type == "html"
or any(file.explode(.), .flavors.mime == "text/html")
)
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
// unsolicited
and not profile.by_sender_email().solicited
Playground
Test against your own EMLs or sample data.