Body HTML: Comment with 24-character hex token

calendar Mar 17, 2026  ·
Share on: linkedin copy

Detects messages containing HTML comments with exactly 24 hexadecimal characters, which may indicate tracking tokens, session identifiers, or other suspicious embedded data used for evasion or tracking purposes.

Sublime rule (View on GitHub)

 1name: "Body HTML: Comment with 24-character hex token"
 2description: "Detects messages containing HTML comments with exactly 24 hexadecimal characters, which may indicate tracking tokens, session identifiers, or other suspicious embedded data used for evasion or tracking purposes."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (
 8    // 24-character hex token is the very first thing in HTML
 9    regex.icontains(body.html.raw, '^\s*<!--\s*[a-f0-9]{24}\s*-->')
10    // exactly one comment and it's the hex token
11    or (
12      // hex is anywhere in html with no mso 
13      any(html.xpath(body.html, '//comment()').nodes,
14          regex.icontains(.raw, '^<!--\s*[a-f0-9]{24}\s*-->$')
15      )
16      and not any(html.xpath(body.html, '//comment()').nodes,
17                  strings.icontains(.raw, '[if')
18      )
19    )
20  )  
21attack_types:
22  - "Spam"
23tactics_and_techniques:
24  - "Evasion"
25detection_methods:
26  - "Content analysis"
27  - "HTML analysis"
28id: "2a5da530-3c80-5b05-83cd-ae092ef68a0d"
to-top