• Sublime Core Feed
High Severity

Attachment: HTML smuggling with fromCharCode and other signals

Labels

Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
Javascript analysis
HTML analysis

Description

Recursively scans files and archives to detect HTML smuggling techniques.

References

Sublime Security
Created Aug 17th, 2023 • Last updated Aug 21st, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_extension in~ $file_extensions_common_archives
          or .file_type == "html"
        )
        and any(file.explode(.),
                length(.scan.javascript.identifiers) < 100
                and "location" in .scan.javascript.identifiers
                and "charCodeAt" in .scan.javascript.identifiers
                and "fromCharCode" in .scan.javascript.identifiers
                and "indexOf" in .scan.javascript.identifiers
                and "try" in .scan.javascript.keywords
                and "catch" in .scan.javascript.keywords
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started