• Sublime Core Feed
Medium Severity

Attachment: EML file with HTML attachment (unsolicited)



Detects HTML files in EML attachments from unsolicited senders.

Reduces attack surface against HTML smuggling.


No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Nov 14th, 2023
Feed Source
Sublime Core Feed

// has EML attachment
and any(attachments,
        .content_type == "message/rfc822"
        and any(file.explode(.),

                // HTML file inside EML attachment
                // we've seen files named ".htm.", which results in an empty
                // .file_extension, so instead we look at .file_name
                // they should be rare enough in EML attachments to not cause
                // extraneous FPs
                strings.ilike(.file_name, "*htm*")

        // optional: we can add additional signals here if necessary
        // identify at least one additional suspicious signal in the message
        // and (
        //     // html smuggling signals
        //     any(.scan.javascript.identifiers, . == "unescape") or
        //     any(.scan.strings.strings, regex.icontains(., "eval")) or
        //     // more signals here if needed

        //     // commonly abused sender TLD
        //     strings.ilike(sender.email.domain.tld, "*.jp")
        // )

// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives


Test against your own EMLs or sample data.


Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started