Create attachment_eml_b64_script.yml (#888)

Co-authored-by: ID Generator <[email protected]>
Co-authored-by: Sam Scholten <[email protected]>

detection-rules/attachment_eml_b64_script.yml

@@ -0,0 +1,26 @@
+name: "Attachment: EML containing a base64 encoded script"
+description: "Attached EML contains a base64 encoded script in the message body."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(body.current_thread.text) < 1000
+  and any(attachments,
+          (.content_type == "message/rfc822" or .file_extension == "eml")
+          and strings.ilike(file.parse_eml(.).body.html.raw, "*script*data:text/html;base64*")
+  )
+  // exclude bounce backs & read receipts
+  and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
+  and not any(attachments, .content_type == "message/delivery-status")
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "HTML smuggling"
+  - "Scripting"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "HTML analysis"
+  - "Sender analysis"
+id: "fc3d9445-b977-5653-814f-079d40c04609"