rule EMBEDDEDHTML_WITH_SCRIPT {
	meta:
		description = "possible abuse of Office video embededHtml"
		reference = "https://blog.cymulate.com/abusing-microsoft-office-online-video"
	strings:
		$embeddedHtmlre1 = /\sembeddedHtml="[^"]+/
		$embeddedHtmlre2 = /\sembeddedHtml='[^']+/
		$script = "<script" nocase
	condition:
		(for any i in (1 .. #embeddedHtmlre1) : ( for any j in (1 .. #script) : ( @embeddedHtmlre1[i] < @script[j] and @script[j] < @embeddedHtmlre1[i] + !embeddedHtmlre1[i] ) )) or (for any i in (1 .. #embeddedHtmlre2) : ( for any j in (1 .. #script) : ( @embeddedHtmlre2[i] < @script[j] and @script[j] < @embeddedHtmlre2[i] + !embeddedHtmlre2[i] ) ))
}