Credential theft: JavaScript date manipulation in HTML body

Detects inbound messages containing JavaScript that uses date manipulation functions (setDate/getDate) within script tags, combined with credential theft intent identified by NLU classification. This pattern is commonly used to evade detection by dynamically altering content or expiry logic while targeting user credentials.

Sublime rule (View on GitHub)

 1name: "Credential theft: JavaScript date manipulation in HTML body"
 2description: "Detects inbound messages containing JavaScript that uses date manipulation functions (setDate/getDate) within script tags, combined with credential theft intent identified by NLU classification. This pattern is commonly used to evade detection by dynamically altering content or expiry logic while targeting user credentials."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and regex.contains(body.html.raw,
 8                     '<script[^>]*>[^<]*setDate\s*\(\s*[^<]*getDate\s*\('
 9  )
10  and any(ml.nlu_classifier(body.current_thread.text).intents,
11          .name == "cred_theft"
12  )  
13attack_types:
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Evasion"
17  - "Scripting"
18  - "Social engineering"
19detection_methods:
20  - "HTML analysis"
21  - "Javascript analysis"
22  - "Natural Language Understanding"
23id: "8bf474fc-c622-5d89-a1f2-6d1622e69188"
to-top