• Sublime Core Feed
High Severity

Attachment: HTML smuggling with embedded base64 streamed file download

Labels

Malware/Ransomware
HTML smuggling
Scripting
Social engineering
Archive analysis
Content analysis
File analysis
HTML analysis

Description

HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Aug 21st, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_extension in~ $file_extensions_common_archives
          or .file_type == "html"
        )
        and any(file.explode(.),
                any(.scan.strings.strings,
                    regex.icontains(.,
                                    '<a href="data:application/octet-stream;base64,[a-z0-9/+]+={0,2}" download=".+\.[a-z]{2,3}'
                    )
                )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started