Credential theft: Gophish abuse with hidden tracking image

calendar Nov 5, 2025  ·
Share on: linkedin copy

Detects messages containing hidden tracking images with display:none style and tracking parameters in the source URL, commonly used for user tracking and engagement monitoring.

Sublime rule (View on GitHub)

 1name: "Credential theft: Gophish abuse with hidden tracking image"
 2description: "Detects messages containing hidden tracking images with display:none style and tracking parameters in the source URL, commonly used for user tracking and engagement monitoring."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    strings.icontains(body.html.raw,
 9                      '<img alt='''' style=''display: none'' src='''
10    )
11    or strings.icontains(body.html.raw, 'img alt="" style="display: none" src="')
12  )
13  and strings.icontains(body.html.raw, '/track?rid=')  
14
15attack_types:
16  - "Spam"
17tactics_and_techniques:
18  - "Evasion"
19  - "Image as content"
20detection_methods:
21  - "Content analysis"
22  - "HTML analysis"
23id: "59915ceb-4d7c-56ba-a28e-ccda8d95b5e2"
to-top