Skip to content

T1027.006 HTMLSmuggling

T1027.006 - HTML Smuggling

DESCRIPTION

Detects a device launching a browser to visit a URL that contains a base64 encoded email address.

example:

Clicked url has hidden second stager url(s) and encoded user name that is passed to the phishing site

Related

AiTM phishing

Reference:

https://securelist.com/html-attachments-in-phishing-e-mails/106481/

ATT&CK TACTICS

T1027 - Obfuscated Files or Information

Data Source(s): TBA

SENTINEL RULE QUERY

1
2
3
DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl)  
| where base64_decode_tostring(extract(@".+http.*\%2F([A-Za-z0-9+\/]{6,}=?)", 1, RemoteUrl)) has_any (".gov", ".com")

Triage

  1. Sandbox link, or search second stager domain on https://urlscan.io/ for indication of phishing attacks
  2. If pfishing attack is confirmed check if user has exposed credentials
  3. Inspect logs for additional downloaded malware
  4. Reset user’s passwords and revoke session tokens if proven to be successful

FalsePositive

Expected legitimate sites to use base64 to pass username

VERSION

Version 1.0 (date: 11/10/2023)