Link: Credential harvesting with excess padding evasion

calendar May 2, 2026  ·
Share on: linkedin copy

Detects inbound messages containing credential-related action links with tall screenshot images and HTML padding techniques used to evade detection. The rule identifies messages with excessive empty div tags, non-breaking spaces, or large margin-top values that artificially increase content height while hiding malicious intent.

Sublime rule (View on GitHub)

 1name: "Link: Credential harvesting with excess padding evasion"
 2description: "Detects inbound messages containing credential-related action links with tall screenshot images and HTML padding techniques used to evade detection. The rule identifies messages with excessive empty div tags, non-breaking spaces, or large margin-top values that artificially increase content height while hiding malicious intent."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // CTA link with action-oriented display text pointing to a different domain than the sender
 8  and any(body.current_thread.links,
 9          regex.icontains(.display_text,
10                          '(?:open|sign.?in|log.?in|retain|credential|secure|confirm|accept|release|document)'
11          )
12          and .href_url.domain.root_domain != sender.email.domain.root_domain
13  )
14  // tall rendered email with low word density
15  and beta.parse_exif(file.message_screenshot()).image_height > 1500
16  and beta.parse_exif(file.message_screenshot()).image_height * 100 / regex.count(body.html.display_text,
17                                                                                  '\S+'
18  ) > 500
19  // html whitespace stuffing patterns
20  and (
21    // bare div-br blocks repeated 30+ times
22    regex.icontains(body.html.raw, '(?:<div>\s*<br\s*/?\s*>\s*</div>\s*){30,}')
23    // style div-br blocks repeated 20+ times
24    or regex.icontains(body.html.raw,
25                       '(?:<div\s+style="[^"]+"\s*[^>]*>\s*<br\s*/?\s*>\s*</div>\s*){20,}'
26    )
27    // p-nbsp blocks repeated 25+ times
28    or regex.icontains(body.html.raw,
29                       '(?:<p>\s*(?:&nbsp;|&#160;)\s*</p>\s*){25,}'
30    )
31    // css margin-top pushdown >= 1500px
32    or (
33      regex.icontains(body.html.raw,
34                      'margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
35      )
36      and not regex.icontains(body.html.raw,
37                              'position\s*:\s*absolute[^"]*margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
38      )
39      and not regex.icontains(body.html.raw,
40                              'margin-left\s*:\s*\d{3,}px[^"]*margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
41      )
42    )
43  )  
44
45attack_types:
46  - "Credential Phishing"
47tactics_and_techniques:
48  - "Evasion"
49  - "Social engineering"
50detection_methods:
51  - "Content analysis"
52  - "HTML analysis"
53  - "Exif analysis"
54  - "URL screenshot"
55id: "5591f618-aed0-579d-9875-cdebdd72c6d2"
to-top