Link: Credential harvesting with excess padding evasion
Detects inbound messages containing credential-related action links with tall screenshot images and HTML padding techniques used to evade detection. The rule identifies messages with excessive empty div tags, non-breaking spaces, or large margin-top values that artificially increase content height while hiding malicious intent.
Sublime rule (View on GitHub)
1name: "Link: Credential harvesting with excess padding evasion"
2description: "Detects inbound messages containing credential-related action links with tall screenshot images and HTML padding techniques used to evade detection. The rule identifies messages with excessive empty div tags, non-breaking spaces, or large margin-top values that artificially increase content height while hiding malicious intent."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // CTA link with action-oriented display text pointing to a different domain than the sender
8 and any(body.current_thread.links,
9 regex.icontains(.display_text,
10 '(?:open|sign.?in|log.?in|retain|credential|secure|confirm|accept|release|document)'
11 )
12 and .href_url.domain.root_domain != sender.email.domain.root_domain
13 )
14 // tall rendered email with low word density
15 and beta.parse_exif(file.message_screenshot()).image_height > 1500
16 and beta.parse_exif(file.message_screenshot()).image_height * 100 / regex.count(body.html.display_text,
17 '\S+'
18 ) > 500
19 // html whitespace stuffing patterns
20 and (
21 // bare div-br blocks repeated 30+ times
22 regex.icontains(body.html.raw, '(?:<div>\s*<br\s*/?\s*>\s*</div>\s*){30,}')
23 // style div-br blocks repeated 20+ times
24 or regex.icontains(body.html.raw,
25 '(?:<div\s+style="[^"]+"\s*[^>]*>\s*<br\s*/?\s*>\s*</div>\s*){20,}'
26 )
27 // class-attributed div-br blocks repeated 20+ times (Outlook elementToProof pattern)
28 or regex.icontains(body.html.raw,
29 '(?:<div\s+class="[^"]*"[^>]*>\s*<br\s*/?\s*>\s*</div>\s*){20,}'
30 )
31 // p-nbsp blocks repeated 25+ times
32 or regex.icontains(body.html.raw,
33 '(?:<p>\s*(?: | )\s*</p>\s*){25,}'
34 )
35 // css margin-top pushdown >= 1500px
36 or (
37 regex.icontains(body.html.raw,
38 'margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
39 )
40 and not regex.icontains(body.html.raw,
41 'position\s*:\s*absolute[^"]*margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
42 )
43 and not regex.icontains(body.html.raw,
44 'margin-left\s*:\s*\d{3,}px[^"]*margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
45 )
46 )
47 )
48
49attack_types:
50 - "Credential Phishing"
51tactics_and_techniques:
52 - "Evasion"
53 - "Social engineering"
54detection_methods:
55 - "Content analysis"
56 - "HTML analysis"
57 - "Exif analysis"
58 - "URL screenshot"
59id: "5591f618-aed0-579d-9875-cdebdd72c6d2"