Medium Severity
HTML smuggling containing recipient email address
Description
HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.
References
No references.
Sublime Security
Created Nov 7th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
any(attachments,
(
.file_extension in~ ("html", "htm", "shtml", "dhtml")
or .content_type == "message/rfc822"
or .file_type == "html"
or .content_type == "text/html"
)
and any(file.explode(.),
.size < 10000
and length(.scan.strings.strings) < 20
and any(recipients.to,
any(..scan.strings.strings,
strings.icontains(., ..email.email)
)
and .email.domain.valid
)
)
)
or any(attachments,
(.file_extension in~ $file_extensions_common_archives)
and any(file.explode(.),
(
.file_extension in~ ("html", "htm", "shtml", "dhtml")
or ..file_type == "html"
or ..content_type == "text/html"
)
and .size < 10000
and length(.scan.strings.strings) < 20
and any(recipients.to,
any(..scan.strings.strings,
strings.icontains(., ..email.email)
)
and .email.domain.valid
)
)
)
)
and not any(attachments,
any(file.parse_eml(.).attachments,
.content_type == "message/delivery-status"
)
)
// bounce-back negations
and not (
any(attachments,
.content_type in ("message/delivery-status", "text/calendar")
)
)
// negate bouncebacks from proofpoint
and not (
sender.display_name == "Mail Delivery Subsystem"
and strings.ends_with(headers.message_id, "pphosted.com>")
and any(headers.hops,
.index == 0 and strings.contains(.received.server.raw, "pphosted.com")
)
and any(attachments, .content_type == "message/rfc822")
)
and (
not profile.by_sender_email().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Playground
Test against your own EMLs or sample data.