detection.wiki

Detection rules › Sublime MQL

Attachment: HTML with obfuscation and recipient's email in JavaScript strings

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesHTML smuggling, Scripting

Event coverage

Message attribute
attachments (collection)
recipients
recipients.to (collection)
type

Rule body MQL

type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
          or (
            .file_extension is null
            and .file_type == "unknown"
            and .content_type == "application/octet-stream"
          )
          or .file_extension in~ $file_extensions_common_archives
          or .file_type == "html"
          or .content_type == "text/html"
        )
        and .size < 1000000
        and any(file.explode(.),
                // suspicious identifiers
                any([.scan.strings.strings, .scan.javascript.identifiers],
                    any(., strings.like(., "*atob*", "*decrypt*"))
                )
        )
        // Recipients address found in javascript
        and any(file.explode(.),
                (
                  any(recipients.to,
                      (
                        any(..scan.javascript.strings,
                            strings.icontains(., ..email.email)
                        )
                        or any(..scan.strings.strings,
                               strings.icontains(., ..email.email)
                        )
                      )
                      and (
                        .email.domain.valid
                        or strings.icontains(.display_name, "undisclosed")
                      )
                  )
                )
        )
        // Negating Cisco Secure Email Encryption
        and not any(file.explode(.),
                    any(.scan.javascript.strings,
                        strings.contains(., "Cisco Registered Envelope Service")
                        or strings.contains(., "https://res.cisco.com:443")
                    )
        )
        // Negating SolarWinds Kiwi Syslog server email reports
        and not any(file.explode(.),
                    length(.scan.url.urls) > 0
                    and all(.scan.url.urls,
                            strings.contains(.domain.root_domain,
                                             "kiwisyslog.com"
                            )
                    )
        )
)

Detection logic

Scope: inbound message.

Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript

  1. inbound message
  2. any of attachments where all hold:
    • any of:
      • .file_extension in ('html', 'htm', 'shtml', 'dhtml', 'xhtml')
      • all of:
        • .file_extension is missing
        • .file_type is 'unknown'
        • .content_type is 'application/octet-stream'
      • .file_extension in $file_extensions_common_archives
      • .file_type is 'html'
      • .content_type is 'text/html'
    • .size < 1000000
    • any of file.explode(.) where:
      • any of [.scan.strings.strings, .scan.javascript.identifiers] where:
        • any of . where:
          • . matches any of 2 patterns
            • *atob*
            • *decrypt*
    • any of file.explode(.) where:
      • any of recipients.to where all hold:
        • any of:
          • any of .scan.javascript.strings where:
            • strings.icontains(.)
          • any of .scan.strings.strings where:
            • strings.icontains(.)
        • any of:
          • .email.domain.valid
          • .display_name contains 'undisclosed'
    • not:
      • any of file.explode(.) where:
        • any of .scan.javascript.strings where any holds:
          • . contains 'Cisco Registered Envelope Service'
          • . contains 'https://res.cisco.com:443'
    • not:
      • any of file.explode(.) where all hold:
        • length(.scan.url.urls) > 0
        • all of .scan.url.urls where:
          • .domain.root_domain contains 'kiwisyslog.com'

Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_type, attachments[].size, recipients.to, recipients.to[].display_name, recipients.to[].email.domain.valid, recipients.to[].email.email, type.inbound. Sensors: file.explode, strings.contains, strings.icontains, strings.like. Reference lists: $file_extensions_common_archives.

Indicators matched (15)

FieldMatchValue
attachments[].file_extensionmemberhtml
attachments[].file_extensionmemberhtm
attachments[].file_extensionmembershtml
attachments[].file_extensionmemberdhtml
attachments[].file_extensionmemberxhtml
attachments[].file_typeequalsunknown
attachments[].content_typeequalsapplication/octet-stream
attachments[].file_typeequalshtml
attachments[].content_typeequalstext/html
strings.likesubstring*atob*
strings.likesubstring*decrypt*
strings.icontainssubstringundisclosed
3 more
strings.containssubstringCisco Registered Envelope Service
strings.containssubstringhttps://res.cisco.com:443
strings.containssubstringkiwisyslog.com