Block Obfuscated JS in Email

In this example, we demonstrate how to detect and block obfuscated JavaScript within Email objects (and their child objects). This technique can also be adapted to any other data type that might contain JavaScript.

The Text backend makes use of machine learning to identify common scripting languages, such as JavaScript. By combining this detection with a common characteristic of malicious scripts—obfuscation into one-liners—we can build an effective filter. Here's how:

The following ContexQL query matches on Email objects with descendants that meet our criteria:

• JavaScript detected as the programming language
• a lack of newlines, indicating possible obfuscation
• code size exceeding 2kB

object_type == "Email" &&
  @has_descendant(object_type == "Text" &&
    @match_object_meta($programming_language == "JavaScript")
    && @match_object_meta($number_of_newlines == 0)
    && @match_object_meta($number_of_characters > 2048)
  )

This straightforward scenario has proven highly effective at identifying and blocking real-world threats. Give it a try in your environment!

info

Click on the download button below to get the scenario and then upload it using Contextal Console or the ctx command line tool (when using the latter, don't forget to reload remote scenarios after adding a new one!)

Email-With-Obfuscated-JS.json

{
  "name": "Email With Obfuscated JS",
  "min_ver": 1,
  "max_ver": null,
  "creator": "Contextal",
  "description": "Block emails that contain an object with obfuscated JS.",
  "local_query": "object_type == \"Email\" &&\n  @has_descendant(object_type == \"Text\" &&\n    @match_object_meta($programming_language == \"JavaScript\")\n    && @match_object_meta($number_of_newlines == 0)\n    && @match_object_meta($number_of_characters > 2048)\n  )",
  "context": null,
  "action": "BLOCK"
}