High Severity

Attachment: HTML smuggling with ROT13

Labels

Credential Phishing

Malware/Ransomware

Description

Potential HTML obfuscation attack based on suspicious JavaScript identifiers. Some attackers may use obfuscation techniques such as ROT13 to bypass email security filters. This rule may be expanded to inspect HTML attachments for other suspicious identifiers.

References

No references.

@Kyle_Parrish_

Created Aug 17th, 2023 • Last updated Dec 2nd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_extension in~ $file_extensions_common_archives
          or .file_type in~ ("html", "svg")
        )
        and any(file.explode(.),
                1 of (
                    any(.scan.javascript.identifiers,
                        . in~ ("rot13", "decodeROT13")
                    ),
                    any(.scan.strings.strings,
                      // ROT13 encoded value for https & http
                      strings.icontains(., "\"uggcf://")
                      or strings.icontains(., "\"uggc://")
                    )
                )
                and length(.scan.javascript.identifiers) < 100
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.