Body HTML: Recipient SLD in HTML class

calendar Sep 23, 2025  ·
Share on: linkedin copy

Detects when there is a single recipient within $org_domains where the domain SLD is concealed within HTML class attributes. The message comes from either an unauthenticated trusted sender or an untrusted source.

Sublime rule (View on GitHub)

 1name: "Body HTML: Recipient SLD in HTML class"
 2description: "Detects when there is a single recipient within $org_domains where the domain SLD is concealed within HTML class attributes. The message comes from either an unauthenticated trusted sender or an untrusted source."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // not an org_domain which passed dmarc
 8  and not (
 9    sender.email.domain.domain in $org_domains
10    and coalesce(headers.auth_summary.dmarc.pass, false)
11  )
12  
13  // a single recipient within the org_domains
14  and (
15    length(recipients.to) == 1
16    and all(recipients.to, .email.domain.domain in $org_domains)
17  )
18  
19  // there are more than 30 class attributes containing the recipient's SLD
20  and length(filter(html.xpath(body.html, '//@class').nodes,
21                    any(recipients.to,
22                        // the class name is the same
23                        ..raw =~ .email.domain.sld
24                        // a specific observed pattern with a prefix of x_hz
25                        or strings.istarts_with(..raw,
26                                                strings.concat('x_hz',
27                                                               .email.domain.sld
28                                                )
29                        )
30                    )
31             )
32  ) > 30
33  // 80% or more the class attributes contain the recipient's SLD
34  and ratio(html.xpath(body.html, '//@class').nodes,
35            any(recipients.to,
36                // the class name is the same
37                ..raw =~ .email.domain.sld
38                // a specific observed pattern with a prefix of x_hz
39                or strings.istarts_with(..raw,
40                                        strings.concat('x_hz', .email.domain.sld)
41                )
42            )
43  ) > 0.80
44  
45  // not replies
46  and not (length(headers.references) > 0 or headers.in_reply_to is not null)
47  // negate highly trusted sender domains unless they fail DMARC authentication
48  and (
49    (
50      sender.email.domain.root_domain in $high_trust_sender_root_domains
51      and not headers.auth_summary.dmarc.pass
52    )
53    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
54  )  
55attack_types:
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "Evasion"
59  - "Social engineering"
60detection_methods:
61  - "HTML analysis"
62  - "Header analysis"
63  - "Sender analysis"
64id: "d395e41d-534f-5a55-9dce-57f5d0856bf7"
to-top