This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SubZer0
Collaborator
‎2025-11-11 12:17 PM

Why Doesn't Checkpoint MTA Detect Obfuscated JS in Email HTML Body (eval/atob)?

We're using Checkpoint R81.20 with the Mail Transfer Agent (MTA) feature enabled on our Security Gateway to inspect SMTP traffic (integrated with Threat Emulation/TE and Threat Extraction). Recently, we analyzed a phishing email where malicious JavaScript was embedded directly in the HTML body (MIME type: text/html), using obfuscated base64-encoded code with atob for decoding and eval for execution. The payload was hidden in an <img style=display:none src/onerror="..."> tag, designed to exfiltrate data to a suspicious domain upon rendering in the browser/iNotes client.

Key details:

  • No attachments; purely inline HTML body.
  • The email passed through without quarantine or alert (low spam score ~12%, no URL filtering hit).
  • MTA accepts/relays SMTP, scans MIME parts, but the JS executed client-side without server-side detection.
  • Logs show SMTP negotiation over TLS, but no TE sandboxing triggered for the HTML body.

From the docs, MTA works with TE for file-based threats and Threat Extraction for content removal, but it seems focused on attachments/files rather than inline scripts in HTML bodies. Is this a known limitation?

Questions:

  1. Does MTA/TE scan and emulate inline HTML/JavaScript in email bodies for obfuscated threats like eval(atob(...)), or is it limited to extractable files/attachments?
  2. What configurations (e.g., enabling full MIME recursion, custom signatures for JS patterns) can improve detection of HTML smuggling or client-side JS exploits?

Appreciate any insights or best practices to harden MTA against such attacks.

0 Kudos
1 Reply
the_rock
MVP Platinum
MVP Platinum
‎2025-11-11 12:46 PM

You may wish to confrm this 100% with TAC, but Im fairly certain this is a limitation. From my understanding, only way such file would be scanned was if it were saved as .html file.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events