High Severity
Attachment: HTML with obfuscation and recipient's email in JavaScript strings
Description
Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript
References
No references.
Sublime Security
Created Aug 29th, 2023 • Last updated Apr 10th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
(
.file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
)
or .file_extension in~ $file_extensions_common_archives
or .file_type == "html"
or .content_type == "text/html"
)
and .size < 1000000
and any(file.explode(.),
// suspicious identifiers
any([.scan.strings.strings, .scan.javascript.identifiers],
any(., strings.like(., "*atob*", "*decrypt*"))
)
)
// Recipients address found in javascript
and any(file.explode(.),
(
any(recipients.to,
(
any(..scan.javascript.strings,
strings.icontains(., ..email.email)
)
or any(..scan.strings.strings,
strings.icontains(., ..email.email)
)
)
and (
.email.domain.valid
or strings.icontains(.display_name, "undisclosed")
)
)
)
)
// Negating Cisco Secure Email Encryption
and not any(file.explode(.),
any(.scan.javascript.strings,
strings.contains(., "Cisco Registered Envelope Service")
or strings.contains(., "https://res.cisco.com:443")
)
)
)
Playground
Test against your own EMLs or sample data.