detection.wiki

Detection rules › Sublime MQL

Attachment: ICS with embedded Javascript in SVG file

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects incoming messages containing ICS attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing, Malware/Ransomware
Tactics and techniquesScripting, Evasion, ICS Phishing

Event coverage

Message attribute
attachments (collection)
type

Rule body MQL

type.inbound
and any(attachments,
        (
          .file_extension in~ ('ics')
          or .content_type in ("application/ics", "text/calendar")
        )
        and any(file.explode(.),
                (
                  .file_extension in~ ("svg", "svgz")
                  or .flavors.mime == "image/svg+xml"
                )
                and any(.scan.strings.strings,
                        strings.ilike(.,
                                      "*onload*",
                                      "*window.location.href*",
                                      "*onerror*",
                                      "*CDATA*",
                                      "*<script*",
                                      "*</script*",
                                      "*atob*",
                                      "*location.assign*",
                                      "*decodeURIComponent*"
                        )
                )
        )
)

Detection logic

Scope: inbound message.

Detects incoming messages containing ICS attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.

  1. inbound message
  2. any of attachments where all hold:
    • any of:
      • .file_extension in ('ics')
      • .content_type in ('application/ics', 'text/calendar')
    • any of file.explode(.) where all hold:
      • any of:
        • .file_extension in ('svg', 'svgz')
        • .flavors.mime is 'image/svg+xml'
      • any of .scan.strings.strings where:
        • . matches any of 9 patterns
          • *onload*
          • *window.location.href*
          • *onerror*
          • *CDATA*
          • *<script*
          • *</script*
          • *atob*
          • *location.assign*
          • *decodeURIComponent*

Inspects: attachments[].content_type, attachments[].file_extension, type.inbound. Sensors: file.explode, strings.ilike.

Indicators matched (15)

FieldMatchValue
attachments[].file_extensionmemberics
attachments[].content_typememberapplication/ics
attachments[].content_typemembertext/calendar
file.explode(attachments[])[].file_extensionmembersvg
file.explode(attachments[])[].file_extensionmembersvgz
file.explode(attachments[])[].flavors.mimeequalsimage/svg+xml
strings.ilikesubstring*onload*
strings.ilikesubstring*window.location.href*
strings.ilikesubstring*onerror*
strings.ilikesubstring*CDATA*
strings.ilikesubstring*<script*
strings.ilikesubstring*</script*
3 more
strings.ilikesubstring*atob*
strings.ilikesubstring*location.assign*
strings.ilikesubstring*decodeURIComponent*