Blocking Phishing attempts sent as html attachments with java script
-
We have received a number of attempts at phishing where the attachment was a larger html file and embedded into it is a javascript code block.
The attachment consists of all of the images etc. required to display a fake login page with the users e-mail address pre-filled in and ready to submit the users e-mail address and password to a Base64 encoded URL.
How would we go about creating a rule to block html attachments with a script block?
We don't want to just block all html attachments as we don't see a way to report on how many html attachments we get that are legitimate.
-
would something like the following work?
require ["mime", "foreverypart", "reject", "body"];
foreverypart {
if allof (
header :mime :param "filename" :matches ["Content-Disposition", "Content-Type"] "*.html",
body :content "text/html" :contains "<script"
) {
reject "Email rejected due to HTML attachment containing JavaScript.";
stop;
}
}
-
SecureGateway doesn't seem to support the 'mime' extension so the above doesn't work.
-
I was able to create a rule that I think may do what I want. Testing now.
require ["securitygateway","fileinto","body"];
if body :raw :contains ["<script", "</script>"]
{
fileinto "admin";
stop;
}
-
Matthew Staff
Shaun,
Can you send me (matt.mcdermott@mdaemon.com) a couple of example messages?
-
Hello Matt,
I have sent you 2 examples just a minute ago.
-
Delivery has failed to these recipients:
matt.mcdermott@mdaemon.com
Subject: FW: Sheet ref-4928 For info@optrics.com only
Remote Server returned: '550 Sorry, this message contains Phishing.HTML.Doc virus'🤣
-
Matthew Staff
If our MDaemon server detected it as a virus, I would expect for Securitygateway to as well. I do not have access to our server at the moment, but I will have the admin review the logs.
I would confirm that Ikarus AV is enabled.You can upload the message (.eml file) to https://mdaemon.sharefile.com/r-rc3922c1eed334d4dbf5e34f0bd04ccd6 and I will test with it.
This script should accomplish what you are looking for.
require ["securitygateway","fileinto","body", "regex"];
if body :content ["text/html", "application/octet-stream"] :regex "(?s)<script>.*?</script>"
{
fileinto "admin";
stop;
}
-
Hello Matthew,
I have uploaded 2 recent samples to sharefile and put this rule into testing.
Ikarus AV is enabled and I see it is updating it's signatures and scanning messages.