From 14c4e55de7ca152be22c997dd17b477ed05044fa Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Thu, 26 Oct 2023 04:03:21 +0000 Subject: [PATCH] Sync from PR#878 Create attachment_small_html_recipient_address.yml by @aidenmitchell https://github.com/sublime-security/sublime-rules/pull/878 Source SHA afb02682f46fd30d5e439a117d47a3951a06302a Triggered by @morriscode --- ...ttachment_small_html_recipient_address.yml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 detection-rules/attachment_small_html_recipient_address.yml diff --git a/detection-rules/attachment_small_html_recipient_address.yml b/detection-rules/attachment_small_html_recipient_address.yml new file mode 100644 index 00000000000..3fe3f62cf6e --- /dev/null +++ b/detection-rules/attachment_small_html_recipient_address.yml @@ -0,0 +1,59 @@ +name: "Attachment: HTML smuggling containing recipient email address" +description: "HTML attachment is small and contains a recipients email address." +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + any(attachments, + ( + .file_extension in~ ("html", "htm", "shtml", "dhtml") + or .file_type == "html" + or .content_type == "text/html" + ) + and any(file.explode(.), + .size < 10000 + and length(.scan.strings.strings) < 20 + and any(recipients.to, + any(..scan.strings.strings, strings.icontains(., ..email.email)) + ) + ) + ) + or any(attachments, + (.file_extension in~ $file_extensions_common_archives) + and any(file.explode(.), + ( + .file_extension in~ ("html", "htm", "shtml", "dhtml") + or ..file_type == "html" + or ..content_type == "text/html" + ) + and .size < 10000 + and length(.scan.strings.strings) < 20 + and any(recipients.to, + any(..scan.strings.strings, strings.icontains(., ..email.email)) + ) + ) + ) + ) + // first-time sender + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Sender analysis" +id: "af32ff2f-1aa8-5a54-bc50-93648f17cfcd" +testing_pr: 878 +testing_sha: afb02682f46fd30d5e439a117d47a3951a06302a