High Severity

Attachment: HTML file with reference to recipient and suspicious patterns

Labels

Credential Phishing

HTML smuggling

Description

Attached HTML file (or HTML file within an attached email) contains references to the recipients email address, indicative of credential phishing, and suspicious Javascript patterns.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated Nov 4th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          .content_type == "text/html"
          or (.content_type == "message/rfc822" or .file_extension in ('eml'))
          or .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_type == "html"
        )
        and any(file.explode(.),
                .flavors.mime in~ ("text/html", "text/plain")
                and any(recipients.to,
                        any(..scan.strings.strings,
                            strings.icontains(., ..email.email)
                        )
                        and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
                )
        )
        and any(file.explode(.),
                (
                  any(.flavors.yara, . == "javascript_file")
                  // common indicator of HTML smuggling
                  and length(filter(.scan.javascript.identifiers, strings.ilike(., "_0x*"))) > 50
                )
                or (
                  // javascript that doesn't get pulled out properly
                  .flavors.mime == "text/plain"
                  and strings.ilike(.file_name, "script*")
                  // common indicator of HTML smuggling
                  and length(filter(.scan.strings.strings, regex.imatch(., ".*_0x.*"))) > 50
                )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.