Link: Fake secure message notification template

calendar Jun 25, 2026  ·
Share on: linkedin copy

Detects inbound messages containing links that match a specific HTML styling fingerprint characterized by a distinctive blue color scheme (rgb(41, 88, 140)), a bottom border of 10px solid with the same blue, and a padding of 1.6em. This combination of CSS properties is associated with malicious messages designed to lure recipients into clicking embedded links.

Sublime rule (View on GitHub)

 1name: "Link: Fake secure message notification template"
 2description: "Detects inbound messages containing links that match a specific HTML styling fingerprint characterized by a distinctive blue color scheme (rgb(41, 88, 140)), a bottom border of 10px solid with the same blue, and a padding of 1.6em. This combination of CSS properties is associated with malicious messages designed to lure recipients into clicking embedded links."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) > 0
 8  and regex.icontains(body.html.raw,
 9                      'background-color\s*:\s*rgb\(41,\s*88,\s*140\)'
10  )
11  and regex.icontains(body.html.raw,
12                      'border-bottom\s*:\s*10px\s+solid\s+rgb\(41,\s*88,\s*140\)'
13  )
14  and regex.icontains(body.html.raw, 'padding\s*:\s*1\.6em')  
15attack_types:
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Evasion"
19  - "Social engineering"
20detection_methods:
21  - "HTML analysis"
22  - "Content analysis"
23  - "URL analysis"
24id: "41148d75-676a-5ce6-aeb3-91cf943c3efd"
to-top