Link: Credential harvesting with excess padding evasion

Detects inbound messages containing credential-related action links with tall screenshot images and HTML padding techniques used to evade detection. The rule identifies messages with excessive empty div tags, non-breaking spaces, or large margin-top values that artificially increase content height while hiding malicious intent.

Sublime rule (View on GitHub)

 1name: "Link: Credential harvesting with excess padding evasion"
 2description: "Detects inbound messages containing credential-related action links with tall screenshot images and HTML padding techniques used to evade detection. The rule identifies messages with excessive empty div tags, non-breaking spaces, or large margin-top values that artificially increase content height while hiding malicious intent."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // CTA link with action-oriented display text pointing to a different domain than the sender
 8  and any(body.current_thread.links,
 9          regex.icontains(.display_text,
10                          '(?:open|sign.?in|log.?in|retain|credential|secure|confirm|accept|release|document)'
11          )
12          and .href_url.domain.root_domain != sender.email.domain.root_domain
13  )
14  // tall rendered email with low word density
15  and beta.parse_exif(file.message_screenshot()).image_height > 1500
16  and beta.parse_exif(file.message_screenshot()).image_height * 100 / regex.count(body.html.display_text,
17                                                                                  '\S+'
18  ) > 500
19  // html whitespace stuffing patterns
20  and (
21    // bare div-br blocks repeated 30+ times
22    regex.icontains(body.html.raw, '(?:<div>\s*<br\s*/?\s*>\s*</div>\s*){30,}')
23    // style div-br blocks repeated 20+ times
24    or regex.icontains(body.html.raw,
25                       '(?:<div\s+style="[^"]+"\s*[^>]*>\s*<br\s*/?\s*>\s*</div>\s*){20,}'
26    )
27    // class-attributed div-br blocks repeated 20+ times (Outlook elementToProof pattern)
28    or regex.icontains(body.html.raw,
29                       '(?:<div\s+class="[^"]*"[^>]*>\s*<br\s*/?\s*>\s*</div>\s*){20,}'
30    )
31    // p-nbsp blocks repeated 25+ times
32    or regex.icontains(body.html.raw,
33                       '(?:<p>\s*(?:&nbsp;|&#160;)\s*</p>\s*){25,}'
34    )
35    // css margin-top pushdown >= 1500px
36    or (
37      regex.icontains(body.html.raw,
38                      'margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
39      )
40      and not regex.icontains(body.html.raw,
41                              'position\s*:\s*absolute[^"]*margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
42      )
43      and not regex.icontains(body.html.raw,
44                              'margin-left\s*:\s*\d{3,}px[^"]*margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
45      )
46    )
47  )  
48
49attack_types:
50  - "Credential Phishing"
51tactics_and_techniques:
52  - "Evasion"
53  - "Social engineering"
54detection_methods:
55  - "Content analysis"
56  - "HTML analysis"
57  - "Exif analysis"
58  - "URL screenshot"
59id: "5591f618-aed0-579d-9875-cdebdd72c6d2"
to-top