• Sublime Core Feed
High Severity

Attachment: HTML with Hidden Body

Labels

Credential Phishing
Evasion
Scripting
Content analysis
HTML analysis
File analysis

Description

This rule identifies HTML attachments which begin directly with a hidden body element. This has been observed in phishing campaigns to hide the content of an otherwise benign HTML attachment that then has remote content injected into the body.

References

No references.

Sublime Security
Created Jun 24th, 2024 • Last updated Jun 24th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and not profile.by_sender().solicited
// not high trust sender domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and any(attachments,
        .file_extension == "html"
        // starts with the hidden body element
        and regex.icontains(file.parse_html(.).raw,
                                '^<body style\s*=\s*"\s*display\s*:\s*none\s*;\s*">'
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started