detection.wiki

Detection rules › Sublime MQL

HTML smuggling containing recipient email address

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing, Malware/Ransomware
Tactics and techniquesEvasion, HTML smuggling, Scripting

Event coverage

Message attribute
attachments (collection)
headers (collection)
headers.auth_summary
headers.hops (collection)
recipients
recipients.to (collection)
sender
sender.email
type

Rule body MQL

type.inbound
and (
  any(attachments,
      (
        .file_extension in~ ("html", "htm", "shtml", "dhtml")
        or .content_type == "message/rfc822"
        or .file_type == "html"
        or (.content_type == "text/html" or .file_extension in ('eml'))
      )
      and any(file.explode(.),
              .size < 10000
              and length(.scan.strings.strings) < 20
              and any(recipients.to,
                      any(..scan.strings.strings,
                          strings.icontains(., ..email.email)
                      )
                      and .email.domain.valid
              )
      )
  )
  or any(attachments,
         (.file_extension in~ $file_extensions_common_archives)
         and any(file.explode(.),
                 (
                   .file_extension in~ ("html", "htm", "shtml", "dhtml")
                   or ..file_type == "html"
                   or ..content_type == "text/html"
                 )
                 and .size < 10000
                 and length(.scan.strings.strings) < 20
                 and any(recipients.to,
                         any(..scan.strings.strings,
                             strings.icontains(., ..email.email)
                         )
                         and .email.domain.valid
                 )
         )
  )
)
and not any(attachments,
            any(file.parse_eml(.).attachments,
                .content_type == "message/delivery-status"
            )
)
// bounce-back negations
and not (
  any(attachments,
      .content_type in ("message/delivery-status", "text/calendar")
  )
)
// negate bouncebacks from proofpoint
and not (
  sender.display_name == "Mail Delivery Subsystem"
  and strings.ends_with(headers.message_id, "pphosted.com>")
  and any(headers.hops,
          .index == 0 and strings.contains(.received.server.raw, "pphosted.com")
  )
  and any(attachments, .content_type == "message/rfc822")
)
// unsolicited or fails authentation
and (
  (
    profile.by_sender_email().prevalence in ("new", "outlier")
    and not profile.by_sender_email().solicited
  )
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
  or (
    sender.email.domain.domain in $org_domains
    and not coalesce(headers.auth_summary.dmarc.pass, false)
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not coalesce(headers.auth_summary.dmarc.pass, false)
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Detection logic

Scope: inbound message.

HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.

  1. inbound message
  2. any of:
    • any of attachments where all hold:
      • any of:
        • .file_extension in ('html', 'htm', 'shtml', 'dhtml')
        • .content_type is 'message/rfc822'
        • .file_type is 'html'
        • any of:
          • .content_type is 'text/html'
          • .file_extension in ('eml')
      • any of file.explode(.) where all hold:
        • .size < 10000
        • length(.scan.strings.strings) < 20
        • any of recipients.to where all hold:
          • any of .scan.strings.strings where:
            • strings.icontains(.)
          • .email.domain.valid
    • any of attachments where all hold:
      • .file_extension in $file_extensions_common_archives
      • any of file.explode(.) where all hold:
        • any of:
          • .file_extension in ('html', 'htm', 'shtml', 'dhtml')
          • .file_type is 'html'
          • .content_type is 'text/html'
        • .size < 10000
        • length(.scan.strings.strings) < 20
        • any of recipients.to where all hold:
          • any of .scan.strings.strings where:
            • strings.icontains(.)
          • .email.domain.valid
  3. not:
    • any of attachments where:
      • any of file.parse_eml(.).attachments where:
        • .content_type is 'message/delivery-status'
  4. not:
    • any of attachments where:
      • .content_type in ('message/delivery-status', 'text/calendar')
  5. not:
    • all of:
      • sender.display_name is 'Mail Delivery Subsystem'
      • headers.message_id ends with 'pphosted.com>'
      • any of headers.hops where all hold:
        • .index is 0
        • .received.server.raw contains 'pphosted.com'
      • any of attachments where:
        • .content_type is 'message/rfc822'
  6. any of:
    • all of:
      • profile.by_sender_email().prevalence in ('new', 'outlier')
      • not:
        • profile.by_sender_email().solicited
    • all of:
      • profile.by_sender_email().any_messages_malicious_or_spam
      • not:
        • profile.by_sender_email().any_messages_benign
    • all of:
      • sender.email.domain.domain in $org_domains
      • not:
        • coalesce(headers.auth_summary.dmarc.pass)
  7. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • coalesce(headers.auth_summary.dmarc.pass)
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_type, headers.auth_summary.dmarc.pass, headers.hops, headers.hops[].index, headers.hops[].received.server.raw, headers.message_id, recipients.to, recipients.to[].email.domain.valid, recipients.to[].email.email, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, file.parse_eml, profile.by_sender_email, strings.contains, strings.ends_with, strings.icontains. Reference lists: $file_extensions_common_archives, $high_trust_sender_root_domains, $org_domains.

Indicators matched (18)

FieldMatchValue
attachments[].file_extensionmemberhtml
attachments[].file_extensionmemberhtm
attachments[].file_extensionmembershtml
attachments[].file_extensionmemberdhtml
attachments[].content_typeequalsmessage/rfc822
attachments[].file_typeequalshtml
attachments[].content_typeequalstext/html
attachments[].file_extensionmembereml
file.explode(attachments[])[].file_extensionmemberhtml
file.explode(attachments[])[].file_extensionmemberhtm
file.explode(attachments[])[].file_extensionmembershtml
file.explode(attachments[])[].file_extensionmemberdhtml
6 more
file.parse_eml(attachments[]).attachments[].content_typeequalsmessage/delivery-status
attachments[].content_typemembermessage/delivery-status
attachments[].content_typemembertext/calendar
sender.display_nameequalsMail Delivery Subsystem
strings.ends_withsuffixpphosted.com>
strings.containssubstringpphosted.com