• Sublime Core Feed
Medium Severity

HTML smuggling containing recipient email address

Labels

Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
Scripting
Archive analysis
File analysis
Sender analysis

Description

HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.

References

No references.

Sublime Security
Created Nov 7th, 2023 • Last updated Nov 4th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  any(attachments,
      (
        .file_extension in~ ("html", "htm", "shtml", "dhtml")
        or .content_type == "message/rfc822"
        or .file_type == "html"
        or (.content_type == "text/html" or .file_extension in ('eml'))
      )
      and any(file.explode(.),
              .size < 10000
              and length(.scan.strings.strings) < 20
              and any(recipients.to,
                      any(..scan.strings.strings,
                          strings.icontains(., ..email.email)
                      )
                      and .email.domain.valid
              )
      )
  )
  or any(attachments,
         (.file_extension in~ $file_extensions_common_archives)
         and any(file.explode(.),
                 (
                   .file_extension in~ ("html", "htm", "shtml", "dhtml")
                   or ..file_type == "html"
                   or ..content_type == "text/html"
                 )
                 and .size < 10000
                 and length(.scan.strings.strings) < 20
                 and any(recipients.to,
                         any(..scan.strings.strings,
                             strings.icontains(., ..email.email)
                         )
                         and .email.domain.valid
                 )
         )
  )
)
and not any(attachments,
            any(file.parse_eml(.).attachments,
                .content_type == "message/delivery-status"
            )
)
// bounce-back negations
and not (
  any(attachments,
      .content_type in ("message/delivery-status", "text/calendar")
  )
)
// negate bouncebacks from proofpoint
and not (
  sender.display_name == "Mail Delivery Subsystem"
  and strings.ends_with(headers.message_id, "pphosted.com>")
  and any(headers.hops,
          .index == 0 and strings.contains(.received.server.raw, "pphosted.com")
  )
  and any(attachments, .content_type == "message/rfc822")
)
// unsolicited or fails authentation
and (
  (
    profile.by_sender_email().prevalence in ("new", "outlier")
    and not profile.by_sender_email().solicited
  )
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
  or (
    sender.email.domain.domain in $org_domains
    and not coalesce(headers.auth_summary.dmarc.pass, false)
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not coalesce(headers.auth_summary.dmarc.pass, false)
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started