High Severity
Attachment: EML with Embedded Javascript in SVG File
Description
Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.
References
No references.
Sublime Security
Created Mar 4th, 2025 • Last updated Apr 17th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
(.content_type == "message/rfc822" or .file_extension =~ "eml")
and (
any(file.parse_eml(.).attachments,
.file_extension in~ ("svg", "svgz")
and (
(
strings.ilike(file.parse_text(.,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
).text,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
'*location.assign*',
'*decodeURIComponent*'
)
or regex.icontains(file.parse_text(.,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
).text,
'<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
)
or any(beta.scan_base64(file.parse_text(.).text,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
),
strings.ilike(.,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
'*location.assign*',
'*decodeURIComponent*'
)
)
)
or (
(
.file_extension in $file_extensions_common_archives
or .file_type == "gz"
or .content_type == "application/x-gzip"
)
and any(file.explode(.),
(
.file_extension in~ ("svg", "svgz")
or .flavors.mime == "image/svg+xml"
)
and any(.scan.strings.strings,
strings.ilike(.,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
"*location.assign*",
"*decodeURIComponent*"
)
)
)
)
)
)
)
)
Playground
Test against your own EMLs or sample data.