Body: Suspicious table template fingerprint

calendar Jun 25, 2026  ·
Share on: linkedin copy

Detects messages matching a specific HTML template fingerprint characterized by a table containing both 'Important' and 'Company' text nodes. This pattern is associated with a known malicious message template used to deceive recipients.

Sublime rule (View on GitHub)

 1name: "Body: Suspicious table template fingerprint"
 2description: "Detects messages matching a specific HTML template fingerprint characterized by a table containing both 'Important' and 'Company' text nodes. This pattern is associated with a known malicious message template used to deceive recipients."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // table template fingerprint containing "important" and "company"
 8  and any(html.xpath(body.html, '//td[contains(@style, "background-color")]').nodes,
 9          .display_text == "Important"
10  )
11  and any(html.xpath(body.html, '//td[contains(@style, "background-color")]').nodes,
12          .display_text == "Company"
13  )  
14attack_types:
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Social engineering"
18  - "Evasion"
19detection_methods:
20  - "HTML analysis"
21  - "Content analysis"
22id: "bb4517b1-9ec2-5d8e-86d8-51086293254a"
to-top