HTML: Template placeholders or recipient email in element class attributes
Detects inbound messages where HTML element class attributes contain either unfilled template placeholders (e.g., {email}, {RECIPIENT_EMAIL}, {domain}) or the recipient's actual email address — optionally wrapped in curly braces. This pattern indicates a bulk-sending infrastructure that failed to substitute personalization tokens, or one that embeds recipient identifiers directly into HTML class names for tracking or evasion purposes. Observed samples follow a consistent pattern: subjects contain numeric identifiers flanking the recipient's email address, and senders vary across unrelated domains, suggesting a coordinated operation targeting multiple organizations including technology and fitness brands.
Sublime rule (View on GitHub)
1name: "HTML: Template placeholders or recipient email in element class attributes"
2description: "Detects inbound messages where HTML element class attributes contain either unfilled template placeholders (e.g., {email}, {RECIPIENT_EMAIL}, {domain}) or the recipient's actual email address — optionally wrapped in curly braces. This pattern indicates a bulk-sending infrastructure that failed to substitute personalization tokens, or one that embeds recipient identifiers directly into HTML class names for tracking or evasion purposes. Observed samples follow a consistent pattern: subjects contain numeric identifiers flanking the recipient's email address, and senders vary across unrelated domains, suggesting a coordinated operation targeting multiple organizations including technology and fitness brands."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 // observed unpopulated template variables in class names
9 any(html.xpath(body.html, "//*/@class").nodes,
10 regex.icontains(.raw,
11 '\{\s*(?:domain|email|(?:RECIPIENT|SENDER)[_\s]?EMAIL)\s*\}'
12 )
13 )
14
15 // check where class names _are_ the email address, or contain the email address are wrapped in { } or start/end with { or }
16 or any(recipients.to,
17 .email.email != ""
18 and any(html.xpath(body.html, "//*/@class").nodes,
19 .raw =~ ..email.email
20 or .raw =~ strings.concat("{", ..email.email, "}")
21 or .raw =~ strings.concat("{", ..email.email)
22 or .raw =~ strings.concat(..email.email, "}")
23 )
24 )
25 )
26attack_types:
27 - "Credential Phishing"
28 - "BEC/Fraud"
29tactics_and_techniques:
30 - "Evasion"
31 - "Social engineering"
32detection_methods:
33 - "HTML analysis"
34 - "Content analysis"
35id: "e7d0fb39-7a12-5a14-8041-245cc74a9320"