From ad7a1fa6b2d66fda1add36a4075a2fc2d18a06f5 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Fri, 22 Sep 2023 16:11:18 -0400
Subject: [PATCH] Update attachment_html_smuggling_unescape.yml

Depending on how the HTML is structured javascript identifiers never populates and this is present in strings only. Updating to accommodate.
---
 detection-rules/attachment_html_smuggling_unescape.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/detection-rules/attachment_html_smuggling_unescape.yml b/detection-rules/attachment_html_smuggling_unescape.yml
index b4ccb82ceb2..7096c7d740b 100644
--- a/detection-rules/attachment_html_smuggling_unescape.yml
+++ b/detection-rules/attachment_html_smuggling_unescape.yml
@@ -13,7 +13,10 @@ source: |
             or .file_extension in~ $file_extensions_common_archives
             or .file_type == "html"
           )
-          and any(file.explode(.), any(.scan.javascript.identifiers, . == "unescape"))
+          and any(file.explode(.),
+                  any(.scan.javascript.identifiers, . == "unescape")
+                  or any(.scan.strings.strings, regex.contains(., "document.write.{0,10}unescape"))
+          )
   )
 attack_types:
   - "Credential Phishing"