detection.wiki

Detection rules › Sublime MQL

Attachment: HTML smuggling Microsoft sign in

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Scans HTML files to detect HTML smuggling techniques impersonating a Microsoft login page.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesFree subdomain host, HTML smuggling, Impersonation: Brand, Social engineering

Event coverage

Message attribute
attachments (collection)
sender.email
type

Rule body MQL

type.inbound
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_extension in~ $file_extensions_common_archives
          or .file_type == "html"
        )
        and any(file.explode(.),
                .scan.entropy.entropy >= 5.7
                and .flavors.mime == "text/html"
                and length(.scan.javascript.identifiers) == 0
                and any(.scan.url.urls,
                        .domain.domain not in $tranco_1m
                        or .domain.root_domain in $free_subdomain_hosts
                )

                // seen in the wild: "sign in to your account", "sign in to your microsoft account"
                and strings.ilike(.scan.html.title, "*sign in*", "*microsoft*")
        )
)
// allow Microsoft domains just to be safe
and sender.email.domain.root_domain not in~ (
  'microsoft.com',
  'microsoftsupport.com',
  'office.com'
)

Detection logic

Scope: inbound message.

Scans HTML files to detect HTML smuggling techniques impersonating a Microsoft login page.

  1. inbound message
  2. any of attachments where all hold:
    • any of:
      • .file_extension in ('html', 'htm', 'shtml', 'dhtml')
      • .file_extension in $file_extensions_common_archives
      • .file_type is 'html'
    • any of file.explode(.) where all hold:
      • .scan.entropy.entropy ≥ 5.7
      • .flavors.mime is 'text/html'
      • length(.scan.javascript.identifiers) is 0
      • any of .scan.url.urls where any holds:
        • .domain.domain not in $tranco_1m
        • .domain.root_domain in $free_subdomain_hosts
      • .scan.html.title matches any of 2 patterns
        • *sign in*
        • *microsoft*
  3. sender.email.domain.root_domain not in ('microsoft.com', 'microsoftsupport.com', 'office.com')

Inspects: attachments[].file_extension, attachments[].file_type, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, strings.ilike. Reference lists: $file_extensions_common_archives, $free_subdomain_hosts, $tranco_1m.

Indicators matched (11)

FieldMatchValue
attachments[].file_extensionmemberhtml
attachments[].file_extensionmemberhtm
attachments[].file_extensionmembershtml
attachments[].file_extensionmemberdhtml
attachments[].file_typeequalshtml
file.explode(attachments[])[].flavors.mimeequalstext/html
strings.ilikesubstring*sign in*
strings.ilikesubstring*microsoft*
sender.email.domain.root_domainmembermicrosoft.com
sender.email.domain.root_domainmembermicrosoftsupport.com
sender.email.domain.root_domainmemberoffice.com