New Rule: HTML smuggling with decimal encoding (#806)

Co-authored-by: ID Generator <[email protected]>
sublime-security · Sep 21, 2023 · eb1e15e · eb1e15e
1 parent a979ae9
commit eb1e15e
Showing 1 changed file with 39 additions and 0 deletions.
diff --git a/detection-rules/attachment_html_smuggling_decimal_encoding.yml b/detection-rules/attachment_html_smuggling_decimal_encoding.yml
@@ -0,0 +1,39 @@
+name: "Attachment: HTML smuggling with decimal encoding"
+description: |
+  Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures. 
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
+            or (
+              .file_extension is null
+              and .file_type == "unknown"
+              and .content_type == "application/octet-stream"
+            )
+            or .file_extension in~ $file_extensions_common_archives
+            or .file_type == "html"
+            or .content_type == "text/html"
+          )
+          and any(file.explode(.),
+                  // suspicious identifiers
+                  any(.scan.strings.strings,
+                      regex.contains(., '(\d{2,3},){60,}')
+                  )
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "HTML smuggling"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "File analysis"
+  - "HTML analysis"
+id: "f99213c4-7031-50b1-ae81-b45f790d3fa4"