type.inbound
and any(attachments,
(.content_type == "message/rfc822" or .file_extension =~ "eml")
and (
any(file.parse_eml(.).attachments,
.file_extension in~ ("svg", "svgz")
or .file_type == "svg"
and (
(
strings.ilike(file.parse_text(.,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
).text,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
'*location.assign*',
'*decodeURIComponent*'
)
or regex.icontains(file.parse_text(.,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
).text,
'<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
)
or any(beta.scan_base64(file.parse_text(.).text,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
),
strings.ilike(.,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
'*location.assign*',
'*decodeURIComponent*'
)
)
)
or (
(
.file_extension in $file_extensions_common_archives
or .file_type == "gz"
or .content_type == "application/x-gzip"
)
and any(file.explode(.),
(
.file_extension in~ ("svg", "svgz")
or .flavors.mime == "image/svg+xml"
)
and any(.scan.strings.strings,
strings.ilike(.,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
"*location.assign*",
"*decodeURIComponent*"
)
)
)
)
)
)
)
)
Playground
Test against your own EMLs or sample data.