
Summary
This detection rule focuses on identifying potential HTML smuggling attacks facilitated by HTML attachments that include scripted actions via the `body onload` event, which can be exploited to deliver malware or phishing links. It activates when an inbound attachment is analyzed, specifically for files with HTML-related extensions or those classified as `unknown` with a content type of `application/octet-stream`. The rule inspects the content for a singular URL and checks if it is connected to trusted reporters via URLhaus or has a suspicious top-level domain (TLD). Any finding with the aforementioned characteristics, including the presence of `body onload`, raises an alert, marking the attempt as potentially malicious. This rule is essential to thwart credential phishing and malware/ransomware delivery methods that utilize legitimate HTML features to bypass traditional security measures.
Categories
- Web
- Endpoint
Data Sources
- File
- Network Traffic
- Application Log
- Process
Created: 2023-09-21