• Sublime Core Feed
High Severity

Attachment: HTML smuggling 'body onload' with high entropy and suspicious text

Labels

Description

Potential HTML Smuggling. This rule inspects HTML attachments that contain "body unload", high entropy, and suspicious text.

References

No references.

Sublime Security
Created Sep 25th, 2023 • Last updated Sep 25th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
          or (
            .file_extension is null
            and .file_type == "unknown"
            and .content_type == "application/octet-stream"
          )
          or .file_extension in~ $file_extensions_common_archives
          or .file_type == "html"
          or .content_type == "text/html"
        )
        and any(file.explode(.),
            .scan.entropy.entropy >= 5
            and any(.scan.strings.strings, strings.ilike(., "*body onload*"))
            and any(.scan.strings.strings, regex.icontains(., 'data:image/.*;base64'))
            and any(.scan.strings.strings, strings.ilike(., "*document pass*"))
        )
)

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started