Did you hear about Sublime at a con? Email con@sublimesecurity.com with the name of the event to get immediate access.
name:
HTML smuggling via attachment
severity:
high
source:
| type.inbound and any(attachments, .file_extension in~ ('html', 'htm') and any(binexplode(.), any(.scan.javascript.identifiers, . == "unescape") ) )
actions:
alert:
tines
block:
quarantine
tags:
- "Suspicious attachment"
- "HTML smuggling"
Modern email security is a one-size-fits-all black box. The same phishing attacks continue to land, and the same legitimate emails continue to get blocked.
Sublime
lets you write and run custom detection and response rules to
block phishing attacks, hunt for threats, and more.
Rule
Message
HTML smuggling via attachment
high
| type.inbound and any(attachments, .file_extension in~ ('html', 'htm') and any(binexplode(.), any(.scan.javascript.identifiers, . == "unescape") ) )
alert:
tines
block:
quarantine
- "Suspicious attachment"
- "HTML smuggling"
Open in Playground
Free and self-hostable
Run the full Sublime Platform without sending any sensitive email data outside of your environment.
Open-source rules
Use any of the open-source community rules, or write and share your own.
Block
Write sophisticated rules to block and detect phishing attacks. Operationalize threat intel from any source.
Hunt
Identify and remediate campaigns using behavioral patterns and historical message search. Detect malicious forwarding rules.
© 2022. Sublime Security, Inc.