HTML content with print styling and credential theft language
Detects messages containing specific HTML print styling directives combined with high or medium confidence credential theft language, often used to format malicious content for printing or display.
Sublime rule (View on GitHub)
1name: "HTML content with print styling and credential theft language"
2description: "Detects messages containing specific HTML print styling directives combined with high or medium confidence credential theft language, often used to format malicious content for printing or display."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and strings.icontains(body.html.raw,
8 '<style>html {-webkit-print-color-adjust: exact} @media print {html, body {margin: 0; padding: 0; break-inside: avoid; page-break-inside: avoid}}'
9 )
10 and any(ml.nlu_classifier(body.current_thread.text).intents,
11 .name == 'cred_theft' and .confidence != 'low'
12 )
13
14tags:
15 - "Attack surface reduction"
16attack_types:
17 - "Credential Phishing"
18tactics_and_techniques:
19 - "Evasion"
20 - "HTML smuggling"
21 - "Social engineering"
22detection_methods:
23 - "Content analysis"
24 - "HTML analysis"
25 - "Natural Language Understanding"
26id: "c262f5ba-56e2-5715-978c-81abfd197126"
Related rules
- BEC/Fraud: Fake investment outreach from suspicious TLD
- Attachment: PDF with recipient email in link
- Attachment: PDF with self-service platform links with self sender or blank recipients
- Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
- Service abuse: Linode Objects HTML file hosting