feat(rules): Add Suspicious file delivery via HTML smuggling rule

rabbitstack · rabbitstack · commit dedd157ba337 · 2026-03-03T19:24:12.000+01:00
Detects suspicious file delivery via HTML smuggling, a phishing technique where malicious payloads are embedded inside HTML files and reconstructed on the victim system using browser-side JavaScript.
Adversaries abuse spearphishing attachments for initial access while bypassing traditional email and network-based security controls.
diff --git a/rules/initial_access_suspicious_file_delivery_via_html_smuggling.yml b/rules/initial_access_suspicious_file_delivery_via_html_smuggling.yml
@@ -0,0 +1,47 @@
+name: Suspicious file delivery via HTML smuggling
+id: b93b5203-78da-4ffa-9b9d-4bd50b3eca1c
+version: 1.0.0
+description: |
+  Detects suspicious file delivery via HTML smuggling, a phishing technique 
+  where malicious payloads are embedded inside HTML files and reconstructed 
+  on the victim system using browser-side JavaScript.
+  Adversaries abuse spearphishing attachments for initial access while bypassing
+  traditional email and network-based security controls.
+labels:
+  tactic.id: TA0001
+  tactic.name: Initial Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0001/
+  technique.id: T1566
+  technique.name: Phishing
+  technique.ref: https://attack.mitre.org/techniques/T1566/
+  subtechnique.id: T1566.001
+  subtechnique.name: Spearphishing Attachment
+  subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
+references:
+  - https://www.ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript
+
+condition: >
+  sequence
+  maxspan 45s
+  by ps.name
+    |spawn_process and
+     ps.parent.name ~= 'explorer.exe' and ps.name iin web_browser_binaries and
+     (ps.args iin ('-url', '--single-element') or (ps.name ~= 'iexplore.exe' and length(ps.args) = 2)) and
+     ps.cmdline imatches
+                (
+                  '*?:\\Users\\*\\Downloads\\*.htm*',
+                  '*?:\\Users\\*\\AppData\\Local\\Temp\\*.htm*',
+                  '*?:\\Users\\*\\Content.Outlook\\*.htm*'
+                )
+    |
+    |create_file and
+     file.extension iin ('.exe', '.iso', '.zip', '.rar', '.7z', '.img', '.vhd', '.js', '.bat',
+                         '.com', '.vbs', '.vbe', '.ps1', '.wsh', '.hta', '.cpl', '.jse', '.scr') and
+     file.path imatches '?:\\Users\\*\\Downloads\\*'
+    |
+action:
+  - name: kill
+
+severity: high
+
+min-engine-version: 3.0.0
