Detection rules › Sublime MQL
Attachment: EML with embedded Javascript in SVG file
Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, Malware/Ransomware |
| Tactics and techniques | Scripting, Evasion |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| type |
Rule body MQL
type.inbound
and any(attachments,
(.content_type == "message/rfc822" or .file_extension =~ "eml")
and (
any(file.parse_eml(.).attachments,
.file_extension in~ ("svg", "svgz")
or .file_type == "svg"
and (
(
strings.ilike(file.parse_text(.,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
).text,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
'*location.assign*',
'*decodeURIComponent*'
)
or regex.icontains(file.parse_text(.,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
).text,
'<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
)
or any(beta.scan_base64(file.parse_text(.).text,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
),
strings.ilike(.,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
'*location.assign*',
'*decodeURIComponent*'
)
)
)
or (
(
.file_extension in $file_extensions_common_archives
or .file_type == "gz"
or .content_type == "application/x-gzip"
)
and any(file.explode(.),
(
.file_extension in~ ("svg", "svgz")
or .flavors.mime == "image/svg+xml"
)
and any(.scan.strings.strings,
strings.ilike(.,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
"*location.assign*",
"*decodeURIComponent*"
)
)
)
)
)
)
)
)
Detection logic
Scope: inbound message.
Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.
- inbound message
any of
attachmentswhere all hold:any of:
- .content_type is 'message/rfc822'
- .file_extension is 'eml'
any of
file.parse_eml(.).attachmentswhere any holds:- .file_extension in ('svg', 'svgz')
all of:
- .file_type is 'svg'
any of:
any of:
file.parse_text(., encodings=['ascii', 'utf8', 'utf16-le']).text matches any of 9 patterns
*onload**window.location.href**onerror**CDATA**<script**</script**atob**location.assign**decodeURIComponent*
- file.parse_text(., encodings=['ascii', 'utf8', 'utf16-le']).text matches '<iframe[^\\>]+src\\s*=\\s*\\"data:[^\\;]+;base64,'
any of
beta.scan_base64(...)where:. matches any of 9 patterns
*onload**window.location.href**onerror**CDATA**<script**</script**atob**location.assign**decodeURIComponent*
all of:
any of:
- .file_extension in $file_extensions_common_archives
- .file_type is 'gz'
- .content_type is 'application/x-gzip'
any of
file.explode(.)where all hold:any of:
- .file_extension in ('svg', 'svgz')
- .flavors.mime is 'image/svg+xml'
any of
.scan.strings.stringswhere:. matches any of 9 patterns
*onload**window.location.href**onerror**CDATA**<script**</script**atob**location.assign**decodeURIComponent*
Inspects: attachments[].content_type, attachments[].file_extension, type.inbound. Sensors: beta.scan_base64, file.explode, file.parse_eml, file.parse_text, regex.icontains, strings.ilike. Reference lists: $file_extensions_common_archives.
Indicators matched (20)
| Field | Match | Value |
|---|---|---|
attachments[].content_type | equals | message/rfc822 |
attachments[].file_extension | equals | eml |
file.parse_eml(attachments[]).attachments[].file_extension | member | svg |
file.parse_eml(attachments[]).attachments[].file_extension | member | svgz |
file.parse_eml(attachments[]).attachments[].file_type | equals | svg |
strings.ilike | substring | *onload* |
strings.ilike | substring | *window.location.href* |
strings.ilike | substring | *onerror* |
strings.ilike | substring | *CDATA* |
strings.ilike | substring | *<script* |
strings.ilike | substring | *</script* |
strings.ilike | substring | *atob* |
8 more
strings.ilike | substring | *location.assign* |
strings.ilike | substring | *decodeURIComponent* |
regex.icontains | regex | <iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64, |
file.parse_eml(attachments[]).attachments[].file_type | equals | gz |
file.parse_eml(attachments[]).attachments[].content_type | equals | application/x-gzip |
file.explode(file.parse_eml(attachments[]).attachments[])[].file_extension | member | svg |
file.explode(file.parse_eml(attachments[]).attachments[])[].file_extension | member | svgz |
file.explode(file.parse_eml(attachments[]).attachments[])[].flavors.mime | equals | image/svg+xml |