On Thu, 2 Feb 2017 05:43:24 -0500 Kevin A. McGrail wrote: > On 2/1/2017 11:30 PM, Pedro David Marco wrote: > > I did a similar rule to detect it but with higher score (3) since > > we are seeing a huge LinkedIn Phishing campaign using this > > technique, that on purpose or by mistake is evading most SA > > rules... > I will score much higher since it is in the wild. Can you throw a > spample up on pastebin?
Perhaps text/html makes a big difference, but base64 encoded utf-8 text is not uncommon these days - particularly outside North America. To score it higher you might want to include a "full" rule that checks for base64 encoding in the headers followed by illegal whitespace near the beginning of what should be the base64 text.
