heroui logo

Attachment: HTML smuggling 'body onload' linking to suspicious destination

Sublime Rules

View Source
Summary
This detection rule focuses on identifying potential HTML smuggling attacks facilitated by HTML attachments that include scripted actions via the `body onload` event, which can be exploited to deliver malware or phishing links. It activates when an inbound attachment is analyzed, specifically for files with HTML-related extensions or those classified as `unknown` with a content type of `application/octet-stream`. The rule inspects the content for a singular URL and checks if it is connected to trusted reporters via URLhaus or has a suspicious top-level domain (TLD). Any finding with the aforementioned characteristics, including the presence of `body onload`, raises an alert, marking the attempt as potentially malicious. This rule is essential to thwart credential phishing and malware/ransomware delivery methods that utilize legitimate HTML features to bypass traditional security measures.
Categories
  • Web
  • Endpoint
Data Sources
  • File
  • Network Traffic
  • Application Log
  • Process
Created: 2023-09-21