High Severity

Low reputation link to auto-downloaded HTML file with smuggling indicators

Labels

Credential Phishing

Evasion

Description

Message contains a low reputation link to an automatically downloaded HTML file that contains HTML smuggling indicators, such as atob function use, excessive hexadecimal (0x) usage, etc.

References

No references.

Sublime Security

Created May 9th, 2024 • Last updated May 9th, 2024

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(body.links,
         (
           .href_url.domain.root_domain not in $tranco_1m
           or .href_url.domain.domain in $free_file_hosts
           or .href_url.domain.root_domain in $free_file_hosts
           or .href_url.domain.root_domain in $free_subdomain_hosts
           or .href_url.domain.domain in $url_shorteners
           or 
 
           // mass mailer link, masks the actual URL
           .href_url.domain.root_domain in (
             "hubspotlinks.com",
             "mandrillapp.com",
             "sendgrid.net",
             "rs6.net"
           )
 
           // Google AMP redirect
           or (
             .href_url.domain.sld == "google"
             and strings.starts_with(.href_url.path, "/amp/")
           )
         )
 
         // exclude sources of potential FPs
         and (
           .href_url.domain.root_domain not in (
             "svc.ms",
             "sharepoint.com",
             "1drv.ms",
             "microsoft.com",
             "aka.ms",
             "msftauthimages.net",
             "mimecastprotect.com",
             "office.com"
           )
           or any(body.links, .href_url.domain.domain in $free_file_hosts)
         )
         and .href_url.domain.root_domain not in $org_domains
         and .href_url.domain.valid 
 )
and any(body.links,
        any(ml.link_analysis(.).files_downloaded,
            any(file.explode(.),
                .scan.entropy.entropy >= 5
                and (
                  length(filter(.scan.javascript.identifiers,
                                strings.like(.,
                                             "document",
                                             "write",
                                             "atob",
                                             "onload"
                                )
                         )
                  ) > 2
                  // usage: document['write'](atob)
                  or any(.scan.strings.strings,
                         regex.icontains(., "document.{0,10}write.{0,10}atob")
                  )
                  or any(.scan.strings.strings, strings.icount(., "_0x") > 50)
                  // usage: some_var = atob();
                  or any(.scan.strings.strings,
                         regex.icontains(., "=.?atob.*;")
                  )
                  // usage: atob(atob
                  or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
                  // usage: eval(atob)
                  or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
                  // usage: atob(_0x)
                  or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
                  // usage: obfuscating "atob"
                  or any(.scan.javascript.identifiers,
                         strings.ilike(., '*ato\u0062*')
                  )
                  // usage: document.head.insertAdjacentHTML("beforeend", atob(...
                  or any(.scan.strings.strings,
                         strings.ilike(., "*document*insertAdjacentHTML*atob*")
                  )
                )
            )
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.