Spam: Image as content with Hidden HTML Element

This has been observed in the delivery of emails containing account/membership expiration lure themes of popular online services or delivery notifications.

Sublime rule (View on GitHub)

 1name: "Spam: Image as content with Hidden HTML Element"
 2description: "This has been observed in the delivery of emails containing account/membership expiration lure themes of popular online services or delivery notifications."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (not profile.by_sender().solicited or sender.email.email == "")
 8  // not high trust sender domains
 9  and (
10    (
11      sender.email.domain.root_domain in $high_trust_sender_root_domains
12      and not headers.auth_summary.dmarc.pass
13    )
14    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
15  )
16  and (
17    // find the template - a link that is a centered image
18    (
19      // at the start of a center
20      regex.contains(body.html.raw,
21                     'center(?:\x22[^\>]+)?\>\s*<a href=\"https?:\/\/[^\x22]+\x22(?:\s[a-z]+=\x22[^\x22]+\x22)*>\s*[^\n]*?(?:\<img src=\x22[^\x22]+\x22>(?:<[a-z]+>\s*)*){1,}<\/a>\s*<\/'
22      )
23      // or at the end of the center
24      or regex.contains(body.html.raw,
25                        '<a href=\"https?:\/\/[^\x22]+\x22(?:\s[a-z]+=\x22[^\x22]+\x22)*>\s*[^\n]*\<img src=\x22[^\x22]+\x22><\/a>\s*<\/center>'
26      )
27    )
28  
29    // and where there is a span/div that is hidden with either &nbsp\x3b\x200c? or underscores repeating multiple times OR followed by a new metatag
30    and regex.contains(body.html.raw,
31                       '<(?:span|div)\s*style=\x22[^\x22]*\s*display\s*\x3a\s*none\x3b[^\x22]*\x22>(?:(?:_|&nbsp\x3b\x200c?){3,}\s+\<|\s+\<meta |\s+\<center )'
32    )
33  )  
34
35attack_types:
36  - "Spam"
37tactics_and_techniques:
38  - "Evasion"
39  - "Image as content"
40detection_methods:
41  - "Content analysis"
42  - "HTML analysis"
43  - "Sender analysis"
44id: "5de8861f-a343-521f-ac8c-b4b91e389a6e"
to-top