We're using Checkpoint R81.20 with the Mail Transfer Agent (MTA) feature enabled on our Security Gateway to inspect SMTP traffic (integrated with Threat Emulation/TE and Threat Extraction). Recently, we analyzed a phishing email where malicious JavaScript was embedded directly in the HTML body (MIME type: text/html), using obfuscated base64-encoded code with atob for decoding and eval for execution. The payload was hidden in an <img style=display:none src/onerror="..."> tag, designed to exfiltrate data to a suspicious domain upon rendering in the browser/iNotes client.

Key details:

• No attachments; purely inline HTML body.
• The email passed through without quarantine or alert (low spam score ~12%, no URL filtering hit).
• MTA accepts/relays SMTP, scans MIME parts, but the JS executed client-side without server-side detection.
• Logs show SMTP negotiation over TLS, but no TE sandboxing triggered for the HTML body.

From the docs, MTA works with TE for file-based threats and Threat Extraction for content removal, but it seems focused on attachments/files rather than inline scripts in HTML bodies. Is this a known limitation?

Questions:

1. Does MTA/TE scan and emulate inline HTML/JavaScript in email bodies for obfuscated threats like eval(atob(...)), or is it limited to extractable files/attachments?
2. What configurations (e.g., enabling full MIME recursion, custom signatures for JS patterns) can improve detection of HTML smuggling or client-side JS exploits?

Appreciate any insights or best practices to harden MTA against such attacks.