Update attachment_html_recipient_in_javascript_identifiers.yml

Fixing issue where the rule would fail to flag if the recipient and the javascript terms were found in separate exploded pieces of the same file.
sublime-security · Sep 20, 2023 · 6bc92f9 · 6bc92f9
1 parent a979ae9
commit 6bc92f9
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml
@@ -7,7 +7,7 @@ source: |
   type.inbound
   and any(attachments,
           (
-            .file_extension in~ ("html", "htm", "shtml", "dhtml")
+            .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
             or (
               .file_extension is null
               and .file_type == "unknown"
@@ -16,13 +16,18 @@ source: |
             )
             or .file_extension in~ $file_extensions_common_archives
             or .file_type == "html"
+            or .content_type == "text/html"
           )
           and any(file.explode(.),
                   // suspicious identifiers
-                  any(.scan.javascript.identifiers, strings.like(., "atob", "decrypt"))
+                  any([.scan.strings.strings, .scan.javascript.identifiers],
+                      any(., strings.like(., "*atob*", "*decrypt*"))
+                  )
                   // Recipients address found in javascript
-                  and any(recipients.to,
-                          any(..scan.javascript.strings, strings.icontains(., ..email.email))
+                  and any(file.explode(..),
+                          any(recipients.to,
+                              any(..scan.javascript.strings, strings.icontains(., ..email.email))
+                          )
                   )
           )
   )