Hello, welcome to the Friday, September 14th, 2018 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Orich, and I am recording from Jacksonville, Florida.

There appears to be no shortage of file types that an attacker can use to expose a victim with malicious content.

The latest example is MHT files or sometimes also called MHTML files.

These are files that are created typically by Internet Explorer if you are saving a web page. Problem with saving a web page is that it's more

than just the HTML to make the webpage work. You also need images, you may need JavaScript

files and the like, and that's what the MHT format accomplishes. Now it's not just the SIP archive

of all of these files. Instead, it's actually sort of a mime encode,

it's a multi-part mime file. So it's one big file. It's not compressed by itself and it includes

different segments with all the different files that are needed to build the web page.

Now, the reason the DA is looking at this file type is that he found it being used in order to, of course, spread malicious content.

In a simple case, it's really just sort of a little one-liner HTML file that then redirects

the user to a different website.

That then delivers the malicious code.

But Xavier has another example where actually a bunch of JavaScript and B-B-Script code

is being included in these files that in itself is malicious.

Attackers, of course, hope that you're not inspecting these somewhat special file types,

and as a result, the malicious code or the malicious URL will make it to the user past whatever sort of filters you have set up.

We had one user right in who I think puts it best in that he said that he's blocking all

of these MHT files for years with very little bad side effects.

The only example here he had is his Qualis Wall.

Let me see scanner does deliver scan reports using

this format.

...