High Severity

Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts

Labels

Malware/Ransomware

Credential Phishing

Description

Detects messages with HTML attachments containing multiple 'const' declarations while excluding legitimate Gmail messages. This is evidence of potential code injection or obfuscation techniques.

References

No references.

Sublime Security

Created Feb 3rd, 2025 • Last updated Nov 3rd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_type == "html"
        )
        and strings.count(file.parse_html(.).raw, 'const') >= 7
        and not regex.contains(file.parse_html(.).raw,
                               "<!-- saved from url=.{0,7}https://mail.google.com/mail/u/0/#inbox/"
        )
        and length(file.parse_html(.).raw) < 50000
        // long timeouts
        and regex.icontains(file.parse_html(.).raw,
                            'setTimeout\(\s*(?:function\s*)?\(.*?\)\s*(?:=>\s*)?\{[\s\S]*?\},\s*\d+\);',
                            // const delay = new Promise((resolve) => setTimeout(resolve, 100));
                            'setTimeout\(\s*\w+\,\s*\d{3,}\)+;'
        )
)

// negate highly trusted sender domains unless they fail DMARC authentication or DMARC is missing
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.