Evasion: Hidden content divs from freemail sender

calendar Jun 17, 2026  ·
Share on: linkedin copy

Detects inbound messages from freemail senders containing multiple hidden HTML div elements with specific styling properties (display:none, opacity:0, zero dimensions) that are commonly used to evade content filtering and detection systems.

Sublime rule (View on GitHub)

 1name: "Evasion: Hidden content divs from freemail sender"
 2description: "Detects inbound messages from freemail senders containing multiple hidden HTML div elements with specific styling properties (display:none, opacity:0, zero dimensions) that are commonly used to evade content filtering and detection systems."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain in $free_email_providers
 8  and strings.count(body.html.raw,
 9                    '<div style="display:none;opacity:0;width:0;height:0;overflow:hidden" aria-hidden="true">'
10  ) >= 3  
11attack_types:
12  - "Credential Phishing"
13tactics_and_techniques:
14  - "Evasion"
15  - "Free email provider"
16detection_methods:
17  - "HTML analysis"
18  - "Content analysis"
19  - "Sender analysis"
20id: "15548316-19ca-5f81-91d4-98a877bae765"
to-top