topic Re: Why Doesn't Checkpoint MTA Detect Obfuscated JS in Email HTML Body (eval/atob)? in General Topics https://community.checkpoint.com/t5/General-Topics/Why-Doesn-t-Checkpoint-MTA-Detect-Obfuscated-JS-in-Email-HTML/m-p/262556#M44425 <P>You may wish to confrm this 100% with TAC, but Im fairly certain this is a limitation. From my understanding, only way such file would be scanned was if it were saved as .html file.</P> Tue, 11 Nov 2025 20:46:25 GMT the_rock 2025-11-11T20:46:25Z Why Doesn't Checkpoint MTA Detect Obfuscated JS in Email HTML Body (eval/atob)? https://community.checkpoint.com/t5/General-Topics/Why-Doesn-t-Checkpoint-MTA-Detect-Obfuscated-JS-in-Email-HTML/m-p/262547#M44417 <P>We're using Checkpoint R81.20 with the Mail Transfer Agent (MTA) feature enabled on our Security Gateway to inspect SMTP traffic (integrated with Threat Emulation/TE and Threat Extraction). Recently, we analyzed a phishing email where malicious JavaScript was embedded directly in the HTML body (MIME type: text/html), using obfuscated base64-encoded code with <SPAN>atob</SPAN> for decoding and <SPAN>eval</SPAN> for execution. The payload was hidden in an <SPAN>&lt;img style=display:none src/onerror="..."&gt;</SPAN> tag, designed to exfiltrate data to a suspicious domain upon rendering in the browser/iNotes client.</P><P>Key details:</P><UL><LI>No attachments; purely inline HTML body.</LI><LI>The email passed through without quarantine or alert (low spam score ~12%, no URL filtering hit).</LI><LI>MTA accepts/relays SMTP, scans MIME parts, but the JS executed client-side without server-side detection.</LI><LI>Logs show SMTP negotiation over TLS, but no TE sandboxing triggered for the HTML body.</LI></UL><P>From the docs, MTA works with TE for file-based threats and Threat Extraction for content removal, but it seems focused on attachments/files rather than inline scripts in HTML bodies. Is this a known limitation?</P><P>Questions:</P><OL><LI>Does MTA/TE scan and emulate inline HTML/JavaScript in email bodies for obfuscated threats like <SPAN>eval(atob(...))</SPAN>, or is it limited to extractable files/attachments?</LI><LI>What configurations (e.g., enabling full MIME recursion, custom signatures for JS patterns) can improve detection of HTML smuggling or client-side JS exploits?</LI></OL><P>Appreciate any insights or best practices to harden MTA against such attacks.</P> Tue, 11 Nov 2025 20:17:18 GMT https://community.checkpoint.com/t5/General-Topics/Why-Doesn-t-Checkpoint-MTA-Detect-Obfuscated-JS-in-Email-HTML/m-p/262547#M44417 SubZer0 2025-11-11T20:17:18Z Re: Why Doesn't Checkpoint MTA Detect Obfuscated JS in Email HTML Body (eval/atob)? https://community.checkpoint.com/t5/General-Topics/Why-Doesn-t-Checkpoint-MTA-Detect-Obfuscated-JS-in-Email-HTML/m-p/262556#M44425 <P>You may wish to confrm this 100% with TAC, but Im fairly certain this is a limitation. From my understanding, only way such file would be scanned was if it were saved as .html file.</P> Tue, 11 Nov 2025 20:46:25 GMT https://community.checkpoint.com/t5/General-Topics/Why-Doesn-t-Checkpoint-MTA-Detect-Obfuscated-JS-in-Email-HTML/m-p/262556#M44425 the_rock 2025-11-11T20:46:25Z