[PR #3064] changed rule: Attachment: Web files with suspicious comments

github-actions[bot] · github-actions[bot] · commit c27ec378c215 · 2025-08-08T15:07:02.000Z
diff --git a/detection-rules/3064_attachment_web_suspicious_comments.yml b/detection-rules/3064_attachment_web_suspicious_comments.yml
@@ -0,0 +1,64 @@
+name: "Attachment: Web files with suspicious comments"
+description: "Detects HTML or SVG files under 100KB that contain duplicate or padding text in the form of literary quotes or common sayings within code comments."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            (
+              .file_type in ("html", "svg")
+              or .file_extension in ("html", "xhtml", "mhtml", "svg")
+              or .content_type in ("text/html", "text/plain")
+            )
+            and .size < 100000
+          )
+          and (
+            (
+              // targeting comments that pad the file with quotes from literature
+              // examples: "// Echoes of the past linger in silence.", "// The wind whispered secrets unknown.", "// Shadows tell stories in the dark."
+  
+              // count all HTML code comments that match our pattern
+              regex.count(file.parse_text(.).text, '// [A-Z][ a-z ]+\.') / 
+              // divide by the count of all UNIQUE HTML code comments that match our pattern
+              length(distinct(regex.extract(file.parse_text(.).text,
+                                            '// [A-Z][ a-z ]+\.'
+                              ),
+                              .full_match
+                     )
+              ) 
+              // at least 50% of the comments are duplicates
+              >= 2
+            )
+            or (
+              // targeting comments that pad the file with sayings
+              // examples: "<!-- <span> No gain without pain. </span> -->", "<!-- <p> Beauty is only skin deep. </p> -->", "<!-- <span> Actions speak louder than words. </span> -->"
+              regex.count(file.parse_text(.).text,
+                          '<!-- +(<[a-z]+>)? [A-Z][ a-z ]+\. (</[a-z]+>)? +-->'
+              )
+            ) > 2
+            or (
+              // targeting comments inside hidden HTML elements
+              // example: "<h1 style="display:none;"> Self-confidence inspires others to believe in you. </h1>"
+              regex.count(file.parse_text(.).text,
+                          '<[a-z0-9]+ style="display:none;">(<[a-z]+>)? [A-Z].*\. </[a-z0-9]+>'
+              )
+            ) > 2
+          )
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "HTML smuggling"
+  - "Evasion"
+detection_methods:
+  - "File analysis"
+  - "HTML analysis"
+  - "Content analysis"
+id: "435fab74-e426-5fca-a85c-650d0f33fbd5"
+og_id: "93061d17-730a-5b33-955d-8f8f6cc5cca9"
+testing_pr: 3064
+testing_sha: 9952fc6c61ff4a6fa36c721efdf3a4ae46e6678a
