diff --git a/detection-rules/attachment_html_smuggling_decimal_encoding.yml b/detection-rules/attachment_html_smuggling_decimal_encoding.yml new file mode 100644 index 00000000000..236d94bf693 --- /dev/null +++ b/detection-rules/attachment_html_smuggling_decimal_encoding.yml @@ -0,0 +1,39 @@ +name: "Attachment: HTML smuggling with decimal encoding" +description: | + Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures. +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml") + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + ) + or .file_extension in~ $file_extensions_common_archives + or .file_type == "html" + or .content_type == "text/html" + ) + and any(file.explode(.), + // suspicious identifiers + any(.scan.strings.strings, + regex.contains(., '(\d{2,3},){60,}') + ) + ) + ) +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" +id: "f99213c4-7031-50b1-ae81-b45f790d3fa4"