Abuse: Robinhood injected content

calendar Apr 30, 2026  ยท
Share on: linkedin copy

Detects messages from Robinhood with injected HTML into one of the list fields, often the 'Device' field.

Sublime rule (View on GitHub)

 1name: "Abuse: Robinhood injected content"
 2description: "Detects messages from Robinhood with injected HTML into one of the list fields, often the 'Device' field."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "noreply@robinhood.com"
 8  and any(html.xpath(body.html, '//div/ul[count(li) = 4]/li').nodes,
 9          length(.raw) > 500 and strings.count(.raw, "</") > 10
10  )  
11attack_types:
12  - "Credential Phishing"
13tactics_and_techniques:
14  - "Impersonation: Brand"
15  - "Social engineering"
16detection_methods:
17  - "Content analysis"
18  - "Header analysis"
19  - "HTML analysis"
20  - "Sender analysis"
21id: "4ada5d76-9327-538e-9ebc-31e63dfcc252"
to-top