High Severity

Low reputation link to auto-downloaded HTML file with smuggling indicators

Labels

Credential Phishing

Evasion

Description

Message contains a low reputation link to an automatically downloaded HTML file that contains HTML smuggling indicators, such as atob function use, excessive hexadecimal (0x) usage, etc.

References

No references.

Sublime Security

Created May 9th, 2024 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(body.links,
        (
          .href_url.domain.root_domain not in $tranco_1m
          or .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.domain in $url_shorteners
          or .href_url.domain.domain in $social_landing_hosts
          or 

          // mass mailer link, masks the actual URL
          .href_url.domain.root_domain in (
            "hubspotlinks.com",
            "mandrillapp.com",
            "sendgrid.net",
            "rs6.net"
          )

          // Google AMP redirect
          or (
            .href_url.domain.sld == "google"
            and strings.starts_with(.href_url.path, "/amp/")
          )
        )

        // exclude sources of potential FPs
        and (
          .href_url.domain.root_domain not in (
            "svc.ms",
            "sharepoint.com",
            "1drv.ms",
            "microsoft.com",
            "aka.ms",
            "msftauthimages.net",
            "mimecastprotect.com",
            "office.com"
          )
          or any(body.links, .href_url.domain.domain in $free_file_hosts)
        )
        and .href_url.domain.root_domain not in $org_domains
        and .href_url.domain.valid
)
and any(body.links,
        any(ml.link_analysis(.).files_downloaded,
            any(file.explode(.),
                .scan.entropy.entropy >= 5
                and (
                  length(filter(.scan.javascript.identifiers,
                                strings.like(.,
                                             "document",
                                             "write",
                                             "atob",
                                             "onload"
                                )
                         )
                  ) > 2
                  // usage: document['write'](atob)
                  or any(.scan.strings.strings,
                         regex.icontains(., "document.{0,10}write.{0,10}atob")
                  )
                  or any(.scan.strings.strings, strings.icount(., "_0x") > 50)
                  // usage: some_var = atob();
                  or any(.scan.strings.strings,
                         regex.icontains(., "=.?atob.*;")
                  )
                  // usage: atob(atob
                  or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
                  // usage: eval(atob)
                  or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
                  // usage: atob(_0x)
                  or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
                  // usage: obfuscating "atob"
                  or any(.scan.javascript.identifiers,
                         strings.ilike(., '*ato\u0062*')
                  )
                  // usage: document.head.insertAdjacentHTML("beforeend", atob(...
                  or any(.scan.strings.strings,
                         strings.ilike(., "*document*insertAdjacentHTML*atob*")
                  )
                )
            )
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.