detection.wiki

Detection rules › Sublime MQL

Attachment: HTML smuggling with decimal encoding

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing, Malware/Ransomware
Tactics and techniquesEvasion, HTML smuggling, Scripting

Event coverage

Message attribute
attachments (collection)
headers.auth_summary
sender.email
type

Rule body MQL

type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
          or (
            .file_extension is null
            and .file_type == "unknown"
            and .content_type == "application/octet-stream"
          )
          or .file_extension in~ $file_extensions_common_archives
          or .file_type == "html"
          or .content_type == "text/html"
        )
        and any(file.explode(.),
                // suspicious identifiers
                any(.scan.strings.strings, regex.contains(., '(\d{2,3},){60,}'))
        )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

Detection logic

Scope: inbound message.

Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures.

  1. inbound message
  2. any of attachments where all hold:
    • any of:
      • .file_extension in ('html', 'htm', 'shtml', 'dhtml', 'xhtml')
      • all of:
        • .file_extension is missing
        • .file_type is 'unknown'
        • .content_type is 'application/octet-stream'
      • .file_extension in $file_extensions_common_archives
      • .file_type is 'html'
      • .content_type is 'text/html'
    • any of file.explode(.) where:
      • any of .scan.strings.strings where:
        • . matches '(\\d{2,3},){60,}'
  3. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  4. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  5. not:
    • profile.by_sender().any_messages_benign

Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_type, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, profile.by_sender, regex.contains. Reference lists: $file_extensions_common_archives, $high_trust_sender_root_domains.

Indicators matched (10)

FieldMatchValue
attachments[].file_extensionmemberhtml
attachments[].file_extensionmemberhtm
attachments[].file_extensionmembershtml
attachments[].file_extensionmemberdhtml
attachments[].file_extensionmemberxhtml
attachments[].file_typeequalsunknown
attachments[].content_typeequalsapplication/octet-stream
attachments[].file_typeequalshtml
attachments[].content_typeequalstext/html
regex.containsregex(\d{2,3},){60,}