Medium Severity
Attachment: HTML Attachment with Login Portal Indicators
Description
Recursively scans files and archives to detect indicators of login portals implemented in HTML files. This is a known credential theft technique used by threat actors.
References
type.inbound
and any(attachments,
(
.file_extension in~ ("html", "htm", "shtml", "dhtml")
or .file_extension in~ $file_extensions_common_archives
or .file_type == "html"
)
and any(file.explode(.),
// suspicious strings found in javascript
(
length(filter(.scan.javascript.strings, strings.ilike(., "*password*", ))) >= 2
and 2 of (
any(.scan.javascript.strings, strings.ilike(., "*incorrect*")),
any(.scan.javascript.strings, strings.ilike(., "*invalid*")),
any(.scan.javascript.strings, strings.ilike(., "*login*")),
any(.scan.javascript.strings, regex.icontains(., "sign.in")),
)
)
or (
// suspicious strings found outside of javascript, but binexplode'd file still of HTML type
length(filter(.scan.strings.strings, strings.ilike(., "*password*", ))) >= 2
and 2 of (
any(.scan.strings.strings, strings.ilike(., "*incorrect*")),
any(.scan.strings.strings, strings.ilike(., "*invalid*")),
any(.scan.strings.strings, strings.ilike(., "*login*")),
any(.scan.strings.strings, strings.ilike(., "*<script>*")),
any(.scan.strings.strings, regex.icontains(., "sign.in")),
any(.scan.strings.strings,
regex.icontains(.,
'<title>.[^<]+(Payment|Invoice|Statement|Login|Microsoft|Email|Excel)'
)
)
)
)
or
//Known phishing obfuscation
2 of (
// Enter password
any(.scan.strings.strings,
strings.ilike(.,
"*Enter password*"
)
),
// Forgotten my password
any(.scan.strings.strings,
strings.ilike(.,
"*Forgotten my password*"
)
),
// Sign in
any(.scan.strings.strings,
strings.ilike(., "*Sign in*")
)
)
)
)
and (
(
// exclude internal mailers where there is no SPF configured.
// if the sender's root domain is an org domain, we
// ensure there's an SPF pass
// we use root_domain because it's typically subdomains that are misconfigured
sender.email.domain.root_domain in $org_domains
and headers.auth_summary.spf.pass
)
or sender.email.domain.root_domain not in $org_domains
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
(
not profile.by_sender().solicited
and profile.by_sender().prevalence in ("new", "outlier")
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
Playground
Test against your own EMLs or sample data.