Spam: Image as content with Hidden HTML Element

calendar Sep 26, 2024  ยท
Share on: linkedin copy

This has been observed in the delivery of emails containing account/membership expiration lure themes of popular online services or delivery notifications.

Sublime rule (View on GitHub)

 1name: "Spam: Image as content with Hidden HTML Element"
 2description: "This has been observed in the delivery of emails containing account/membership expiration lure themes of popular online services or delivery notifications."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (not profile.by_sender().solicited or sender.email.email == "")
 8  // not high trust sender domains
 9  and (
10    (
11      sender.email.domain.root_domain in $high_trust_sender_root_domains
12      and not headers.auth_summary.dmarc.pass
13    )
14    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
15  )
16  and (
17    // find the template - a link that is a centered image
18    (
19      // at the start of a center
20      regex.contains(body.html.raw,
21                     'center(?:\x22[^\>]+)?\>\s*<a href=\"https?:\/\/[^\x22]+\x22(?:\s[a-z]+=\x22[^\x22]+\x22)*>\s*[^\n]*?(?:\<img src=\x22[^\x22]+\x22>(?:<[a-z]+>\s*)*){1,}<\/a>(?:<[a-z]+>\s*)*<\/'
22      )
23      // or at the end of the center
24      or regex.contains(body.html.raw,
25                        '<a href=\"https?:\/\/[^\x22]+\x22(?:\s[a-z]+=\x22[^\x22]+\x22)*>\s*(?:\<img src=\x22[^\x22]+\x22>(?:<\/a>|(?:<[a-z]+>\s*))*){1,}<\/center>'
26      )
27      //
28          // at the start of the body
29      or regex.contains(body.html.raw,
30                     'body(?:\x22[^\>]+)?\>\s*<a href=\"https?:\/\/[^\x22]+\x22(?:\s[a-z]+=\x22[^\x22]+\x22)*>\s*[^\n]*?(?:\<img src=\x22[^\x22]+\x22>(?:<[a-z]+>\s*)*){1,}<\/a>'
31      )
32    )
33  
34    // and where there is a span/div that is hidden with either &nbsp\x3b\x200c? or underscores repeating multiple times OR followed by a new metatag
35    and regex.contains(body.html.raw,
36                       '<(?:span|div)\s*style=\x22[^\x22]*\s*display\s*\x3a\s*none\x3b[^\x22]*\x22(?:\s*\w+=\"\w+\")*>\s*(?:(?:_|[\x{2007}\x{00AD}\x{034F}\s]*&nbsp\x3b\s*[\x{2007}\x{00AD}\x{034F}\s]*){3,}\s*\<|\s+\<meta |\s+\<center )'
37    )
38  )  
39attack_types:
40  - "Spam"
41tactics_and_techniques:
42  - "Evasion"
43  - "Image as content"
44detection_methods:
45  - "Content analysis"
46  - "HTML analysis"
47  - "Sender analysis"
48id: "5de8861f-a343-521f-ac8c-b4b91e389a6e"
to-top