detection.wiki

Detection rules › Sublime MQL

Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages with HTML attachments containing multiple 'const' declarations while excluding legitimate Gmail messages. This is evidence of potential code injection or obfuscation techniques.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesMalware/Ransomware, Credential Phishing
Tactics and techniquesHTML smuggling, Scripting, Evasion

Event coverage

Message attribute
attachments (collection)
headers.auth_summary
sender.email
type

Rule body MQL

type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_type == "html"
        )
        and strings.count(file.parse_html(.).raw, 'const') >= 7
        and not regex.contains(file.parse_html(.).raw,
                               "<!-- saved from url=.{0,7}https://mail.google.com/mail/u/0/#inbox/"
        )
        and length(file.parse_html(.).raw) < 50000
        // long timeouts
        and regex.icontains(file.parse_html(.).raw,
                            'setTimeout\(\s*(?:function\s*)?\(.*?\)\s*(?:=>\s*)?\{[\s\S]*?\},\s*\d+\);',
                            // const delay = new Promise((resolve) => setTimeout(resolve, 100));
                            'setTimeout\(\s*\w+\,\s*\d{3,}\)+;'
        )
)

// negate highly trusted sender domains unless they fail DMARC authentication or DMARC is missing
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Detection logic

Scope: inbound message.

Detects messages with HTML attachments containing multiple 'const' declarations while excluding legitimate Gmail messages. This is evidence of potential code injection or obfuscation techniques.

  1. inbound message
  2. any of attachments where all hold:
    • any of:
      • .file_extension in ('html', 'htm', 'shtml', 'dhtml')
      • .file_type is 'html'
    • strings.count(file.parse_html(.).raw, 'const') ≥ 7
    • not:
      • file.parse_html(.).raw matches '<!-- saved from url=.{0,7}https://mail.google.com/mail/u/0/#inbox/'
    • length(file.parse_html(.).raw) < 50000
    • file.parse_html(.).raw matches any of 2 patterns
      • setTimeout\(\s*(?:function\s*)?\(.*?\)\s*(?:=>\s*)?\{[\s\S]*?\},\s*\d+\);
      • setTimeout\(\s*\w+\,\s*\d{3,}\)+;
  3. not:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • coalesce(headers.auth_summary.dmarc.pass)

Inspects: attachments[].file_extension, attachments[].file_type, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: file.parse_html, regex.contains, regex.icontains, strings.count. Reference lists: $high_trust_sender_root_domains.

Indicators matched (8)

FieldMatchValue
attachments[].file_extensionmemberhtml
attachments[].file_extensionmemberhtm
attachments[].file_extensionmembershtml
attachments[].file_extensionmemberdhtml
attachments[].file_typeequalshtml
regex.containsregex<!-- saved from url=.{0,7}https://mail.google.com/mail/u/0/#inbox/
regex.icontainsregexsetTimeout\(\s*(?:function\s*)?\(.*?\)\s*(?:=>\s*)?\{[\s\S]*?\},\s*\d+\);
regex.icontainsregexsetTimeout\(\s*\w+\,\s*\d{3,}\)+;