Scripting

Tactic or Technique: Scripting

Attackers use scripting languages like JavaScript, VBScript, and PowerShell to run malicious code delivered through phishing emails or compromised websites. These scripts can load hidden content, redirect you to phishing pages, or silently steal data in the background.

To avoid detection, attackers often scramble the code using encryption, compression, or multiple layers of encoding. This makes it harder for both security tools and analysts to understand what the script is doing.

Scripting is flexible and often used to fingerprint your browser, deliver customized payloads, or create a connection to an attacker-controlled server. Once that connection is active, the script can pull down more malware, collect sensitive information, or give an attacker continued access to your device.

Blog Posts

Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics

Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction

Attack Types (2):

Malware/Ransomware

Credential Phishing

Detection Methods (13):

Natural Language Understanding

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Attachment: Macro Files Containing MHT Content	6d ago Jun 12th, 2025 UTC	Sublime Security	Malware/Ransomware Credential Phishing Evasion Macros Scripting Archive analysis File analysis Macro analysis	/feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b
Attachment: HTML smuggling with atob and high entropy via calendar invite	15d ago Jun 3rd, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-via-calendar-invite-94d84614
Attachment: HTML smuggling with eval and atob via calendar invite	15d ago Jun 3rd, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-via-calendar-invite-597c2edd
Attachment: Embedded Javascript in SVG file	16d ago Jun 2nd, 2025 UTC	Sublime Security	Malware/Ransomware Scripting Archive analysis File analysis Sender analysis XML analysis	/feeds/core/detection-rules/attachment-embedded-javascript-in-svg-file-f70293bc
Attachment: EML with Embedded Javascript in SVG File	2mo ago Apr 17th, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Scripting Evasion File analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-with-embedded-javascript-in-svg-file-dfafb78f
Attachment: HTML with obfuscation and recipient's email in JavaScript strings	2mo ago Apr 10th, 2025 UTC	Sublime Security	Credential Phishing HTML smuggling Scripting Archive analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-with-obfuscation-and-recipients-email-in-javascript-strings-1aff486b
HTML smuggling containing recipient email address	2mo ago Apr 1st, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/html-smuggling-containing-recipient-email-address-af32ff2f
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability	2mo ago Mar 21st, 2025 UTC	Sublime Security	Credential Phishing Scripting Macros Exploit Archive analysis Content analysis File analysis	/feeds/core/detection-rules/attachment-cve-2025-24071-microsoft-windows-file-explorer-spoofing-vulnerability-2e69fa0b
Suspected Cross-Site Scripting (XSS) found in subject	3mo ago Feb 24th, 2025 UTC	Sublime Security	Credential Phishing Evasion Scripting Content analysis Sender analysis	/feeds/core/detection-rules/suspected-cross-site-scripting-xss-found-in-subject-8a946cfa
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts	4mo ago Feb 3rd, 2025 UTC	Sublime Security	Malware/Ransomware Credential Phishing HTML smuggling Scripting Evasion HTML analysis File analysis Content analysis	/feeds/core/detection-rules/attachment-html-file-with-excessive-const-declarations-and-abnormally-long-timeouts-66f8a07a
Suspected WordPress abuse with Cross-Site Scripting (XSS) indicators	4mo ago Jan 29th, 2025 UTC	Sublime Security	Malware/Ransomware Credential Phishing Scripting Impersonation: Brand Social engineering Content analysis Sender analysis	/feeds/core/detection-rules/suspected-wordpress-abuse-with-cross-site-scripting-xss-indicators-9c21225b
Attachment: HTML With Emoji-to-Character Map	6mo ago Dec 2nd, 2024 UTC	Sublime Security	Credential Phishing Evasion HTML smuggling Impersonation: Brand Scripting Social engineering File analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-html-with-emoji-to-character-map-3119d086
Attachment: HTML smuggling with atob and high entropy	9mo ago Aug 29th, 2024 UTC	Sublime Security	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-03fcac11
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns	9mo ago Aug 27th, 2024 UTC	Sublime Security	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-excessive-string-concatenation-and-suspicious-patterns-e34fce8d
Attachment: HTML with JavaScript Functions for HTTP requests	11mo ago Jul 3rd, 2024 UTC	Sublime Security	Credential Phishing Evasion Scripting Content analysis HTML analysis Javascript analysis File analysis	/feeds/core/detection-rules/attachment-html-with-javascript-functions-for-http-requests-01e679fd
Attachment: HTML with Hidden Body	11mo ago Jun 24th, 2024 UTC	Sublime Security	Credential Phishing Evasion Scripting Content analysis HTML analysis File analysis	/feeds/core/detection-rules/attachment-html-with-hidden-body-b059a781
Attachment: HTML file with reference to recipient and suspicious patterns	1y ago May 3rd, 2024 UTC	Sublime Security	Credential Phishing HTML smuggling Scripting Content analysis File analysis HTML analysis Javascript analysis YARA	/feeds/core/detection-rules/attachment-html-file-with-reference-to-recipient-and-suspicious-patterns-5333493d
Attachment: Microsoft impersonation via PDF with link and suspicious language	1y ago May 2nd, 2024 UTC	Sublime Security	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f
Attachment: HTML smuggling with decimal encoding	1y ago Apr 23rd, 2024 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-decimal-encoding-f99213c4
Attachment: HTML Attachment with Login Portal Indicators	1y ago Apr 23rd, 2024 UTC	@ajpc500	Credential Phishing HTML smuggling Scripting Archive analysis File analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-html-attachment-with-login-portal-indicators-3aabf4a7