Medium Severity

Attachment: HTML smuggling with base64 encoded ZIP file

Labels

Credential Phishing

Malware/Ransomware

Description

Detects HTML attachments containing base64-encoded ZIP or Office files alongside JavaScript decoding functions such as atob, fromCharCode, or base64. This technique is commonly used to evade security controls by hiding malicious files within HTML content that are decoded and executed client-side.

References

No references.

Sublime Security

Created Nov 20th, 2025 • Last updated Nov 20th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_type == "html"
        )
        and (
          // javascript functions to decode the base64
          strings.icontains(file.parse_text(.).text, 'atob')
          or strings.icontains(file.parse_text(.).text, 'fromCharCode')
          or strings.icontains(file.parse_text(.).text, 'base64')
        )
        // Magic bytes for a ZIP/Office File that have been base64 encoded
        and regex.contains(file.parse_text(.).text,
                           '[\x2C\x3B\x3A\x22\x27\x28\x7B\x5B\s]UEsDB'
        )
        // negation of Micro Focus Voltage Secure Messaging
        and not strings.contains(file.parse_text(.).text,
                                 "<input type=\"hidden\" name=\"ZFRdata\" value=\"\n-----BEGIN VOLTAGE SECURE BLOCK V3-----\nUEsDBBQAAAAAAAAAAA"
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.