HTML: Template placeholders or recipient email in element class attributes

Detects inbound messages where HTML element class attributes contain either unfilled template placeholders (e.g., {email}, {RECIPIENT_EMAIL}, {domain}) or the recipient's actual email address — optionally wrapped in curly braces. This pattern indicates a bulk-sending infrastructure that failed to substitute personalization tokens, or one that embeds recipient identifiers directly into HTML class names for tracking or evasion purposes. Observed samples follow a consistent pattern: subjects contain numeric identifiers flanking the recipient's email address, and senders vary across unrelated domains, suggesting a coordinated operation targeting multiple organizations including technology and fitness brands.

Sublime rule (View on GitHub)

 1name: "HTML: Template placeholders or recipient email in element class attributes"
 2description: "Detects inbound messages where HTML element class attributes contain either unfilled template placeholders (e.g., {email}, {RECIPIENT_EMAIL}, {domain}) or the recipient's actual email address — optionally wrapped in curly braces. This pattern indicates a bulk-sending infrastructure that failed to substitute personalization tokens, or one that embeds recipient identifiers directly into HTML class names for tracking or evasion purposes. Observed samples follow a consistent pattern: subjects contain numeric identifiers flanking the recipient's email address, and senders vary across unrelated domains, suggesting a coordinated operation targeting multiple organizations including technology and fitness brands."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    // observed unpopulated template variables in class names
 9    any(html.xpath(body.html, "//*/@class").nodes,
10        regex.icontains(.raw,
11                        '\{\s*(?:domain|email|(?:RECIPIENT|SENDER)[_\s]?EMAIL)\s*\}'
12        )
13    )
14  
15    // check where class names _are_ the email address, or contain the email address are wrapped in { } or start/end with { or }
16    or any(recipients.to,
17           .email.email != ""
18           and any(html.xpath(body.html, "//*/@class").nodes,
19                   .raw =~ ..email.email
20                   or .raw =~ strings.concat("{", ..email.email, "}")
21                   or .raw =~ strings.concat("{", ..email.email)
22                   or .raw =~ strings.concat(..email.email, "}")
23           )
24    )
25  )  
26attack_types:
27  - "Credential Phishing"
28  - "BEC/Fraud"
29tactics_and_techniques:
30  - "Evasion"
31  - "Social engineering"
32detection_methods:
33  - "HTML analysis"
34  - "Content analysis"
35id: "e7d0fb39-7a12-5a14-8041-245cc74a9320"
to-top