Anthropic Magic String in HTML

calendar Feb 9, 2026  ยท
Share on: linkedin copy

Detects messages containing the specific test string 'ANTHROPIC_MAGIC_STRING' in the plain text body content.

Sublime rule (View on GitHub)

 1name: "Anthropic Magic String in HTML"
 2description: "Detects messages containing the specific test string 'ANTHROPIC_MAGIC_STRING' in the plain text body content."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and length(attachments) <= 3
 8  and (
 9    strings.icontains(body.html.raw, 'ANTHROPIC_MAGIC_STRING_')
10    or strings.icontains(body.plain.raw, 'ANTHROPIC_MAGIC_STRING_')
11    or strings.icontains(body.html.display_text, 'ANTHROPIC_MAGIC_STRING_')
12    or any(attachments,
13           any(file.explode(.),
14               strings.icontains(.scan.ocr.raw, "ANTHROPIC_MAGIC_STRING_")
15               or strings.icontains(.scan.strings.raw, "ANTHROPIC_MAGIC_STRING_")
16           )
17    )
18  )  
19
20attack_types:
21  - "Malware/Ransomware"
22tactics_and_techniques:
23  - "Exploit"
24detection_methods:
25  - "Content analysis"
26id: "d860c6a8-9834-5bc1-96c1-f3f7e1217f40"
to-top