Body: Yellow highlighted text markers

calendar Jun 16, 2026  ·
Share on: linkedin copy

Detects messages containing multiple HTML span elements with yellow background highlighting (rgb(255, 241, 0)) and data-markjs attributes, potentially indicating evasion techniques through visual markup manipulation.

Sublime rule (View on GitHub)

 1name: "Body: Yellow highlighted text markers"
 2description: "Detects messages containing multiple HTML span elements with yellow background highlighting (rgb(255, 241, 0)) and data-markjs attributes, potentially indicating evasion techniques through visual markup manipulation."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and regex.icount(body.html.raw,
 8                   '<span[^>]*data-markjs="true"[^>]*background-color:\s*rgb\(255,\s*241,\s*0\)[^>]*>[^<]'
 9  ) >= 2  
10attack_types:
11  - "Credential Phishing"
12  - "BEC/Fraud"
13tactics_and_techniques:
14  - "Evasion"
15detection_methods:
16  - "HTML analysis"
17  - "Content analysis"
18id: "869dd39d-02a5-59f2-8fa9-3922a8fd5467"
to-top