Body: HTML whitespace stuffing with short initial message

calendar May 29, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages that uses HTML-based whitespace padding (repeated br tags, p-nbsp blocks, or div-br wrappers) to push content below the visible fold.

Sublime rule (View on GitHub)

 1name: "Body: HTML whitespace stuffing with short initial message"
 2description: "Detects messages that uses HTML-based whitespace padding (repeated br tags, p-nbsp blocks, or div-br wrappers) to push content below the visible fold."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // not a legitimate thread reply or is indicative of self sender
 8  and (
 9    (length(headers.references) == 0 and headers.in_reply_to is null)
10    or (
11      length(recipients.to) == 1
12      and length(recipients.cc) == 0
13      and sender.email.email == recipients.to[0].email.email
14    )
15  )
16  // whitespace-stuffed credphish targets single recipients
17  and length(recipients.to) == 1
18  and length(recipients.cc) == 0
19  and length(recipients.bcc) == 0
20  // short lure
21  and length(body.current_thread.text) < 2000
22  // HTML whitespace stuffing
23  and (
24    regex.icontains(body.html.raw, '(?:<br\s*/?\s*>\s*){30,}')
25    or regex.icontains(body.html.raw,
26                       '(?:<p>\s*(?:&nbsp;|&#160;)\s*</p>\s*){10,}'
27    )
28    or regex.icontains(body.html.raw,
29                       '(?:<div[^>]*>\s*<br\s*/?\s*>\s*</div>\s*){20,}'
30    )
31  )
32  // low word count excludes legitimate long threads
33  and regex.count(body.html.display_text, '\S+') < 3000
34  
35  // visible link in current thread pointing to external domain
36  and any(body.current_thread.links,
37          .href_url.domain.root_domain != sender.email.domain.root_domain
38          and .href_url.domain.valid
39          and .href_url.scheme in ("https", "http")
40          and .visible == true
41  )
42  
43  // credential phishing has few visible links - newsletters have many
44  and length(filter(body.current_thread.links,
45                    .href_url.domain.valid
46                    and .href_url.scheme in ("https", "http")
47                    and .visible == true
48             )
49  ) < 10
50  
51  // negate high trust senders that pass auth
52  and not (
53    sender.email.domain.root_domain in $high_trust_sender_root_domains
54    and coalesce(headers.auth_summary.dmarc.pass, false)
55  )
56  
57  // negate authenticated senders with unsubscribe mechanism (marketing)
58  and not (
59    coalesce(headers.auth_summary.dmarc.pass, false)
60    and any(body.current_thread.links,
61            strings.icontains(.display_text, "unsubscribe")
62            or strings.icontains(.href_url.path, "unsubscribe")
63    )
64  )  
65tags:
66 - "Attack surface reduction"
67attack_types:
68  - "Credential Phishing"
69tactics_and_techniques:
70  - "Evasion"
71  - "Social engineering"
72detection_methods:
73  - "Content analysis"
74  - "HTML analysis"
75  - "Header analysis"
76id: "f8a3c1d2-7e4b-4a9f-b6c8-2d1e5f3a7b9c"

Related rules

to-top