← Back to Explore
sublimehighRule
Link: Credential harvesting with excess padding evasion
Detects inbound messages containing credential-related action links with tall screenshot images and HTML padding techniques used to evade detection. The rule identifies messages with excessive empty div tags, non-breaking spaces, or large margin-top values that artificially increase content height while hiding malicious intent.
Detection Query
type.inbound
// CTA link with action-oriented display text pointing to a different domain than the sender
and any(body.current_thread.links,
regex.icontains(.display_text,
'(?:open|sign.?in|log.?in|retain|credential|secure|confirm|accept|release|document)'
)
and .href_url.domain.root_domain != sender.email.domain.root_domain
)
// tall rendered email with low word density
and beta.parse_exif(file.message_screenshot()).image_height > 1500
and beta.parse_exif(file.message_screenshot()).image_height * 100 / regex.count(body.html.display_text,
'\S+'
) > 500
// html whitespace stuffing patterns
and (
// bare div-br blocks repeated 30+ times
regex.icontains(body.html.raw, '(?:<div>\s*<br\s*/?\s*>\s*</div>\s*){30,}')
// style div-br blocks repeated 20+ times
or regex.icontains(body.html.raw,
'(?:<div\s+style="[^"]+"\s*[^>]*>\s*<br\s*/?\s*>\s*</div>\s*){20,}'
)
// p-nbsp blocks repeated 25+ times
or regex.icontains(body.html.raw,
'(?:<p>\s*(?: | )\s*</p>\s*){25,}'
)
// css margin-top pushdown >= 1500px
or (
regex.icontains(body.html.raw,
'margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
)
and not regex.icontains(body.html.raw,
'position\s*:\s*absolute[^"]*margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
)
and not regex.icontains(body.html.raw,
'margin-left\s*:\s*\d{3,}px[^"]*margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Credential harvesting with excess padding evasion"
description: "Detects inbound messages containing credential-related action links with tall screenshot images and HTML padding techniques used to evade detection. The rule identifies messages with excessive empty div tags, non-breaking spaces, or large margin-top values that artificially increase content height while hiding malicious intent."
type: "rule"
severity: "high"
source: |
type.inbound
// CTA link with action-oriented display text pointing to a different domain than the sender
and any(body.current_thread.links,
regex.icontains(.display_text,
'(?:open|sign.?in|log.?in|retain|credential|secure|confirm|accept|release|document)'
)
and .href_url.domain.root_domain != sender.email.domain.root_domain
)
// tall rendered email with low word density
and beta.parse_exif(file.message_screenshot()).image_height > 1500
and beta.parse_exif(file.message_screenshot()).image_height * 100 / regex.count(body.html.display_text,
'\S+'
) > 500
// html whitespace stuffing patterns
and (
// bare div-br blocks repeated 30+ times
regex.icontains(body.html.raw, '(?:<div>\s*<br\s*/?\s*>\s*</div>\s*){30,}')
// style div-br blocks repeated 20+ times
or regex.icontains(body.html.raw,
'(?:<div\s+style="[^"]+"\s*[^>]*>\s*<br\s*/?\s*>\s*</div>\s*){20,}'
)
// p-nbsp blocks repeated 25+ times
or regex.icontains(body.html.raw,
'(?:<p>\s*(?: | )\s*</p>\s*){25,}'
)
// css margin-top pushdown >= 1500px
or (
regex.icontains(body.html.raw,
'margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
)
and not regex.icontains(body.html.raw,
'position\s*:\s*absolute[^"]*margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
)
and not regex.icontains(body.html.raw,
'margin-left\s*:\s*\d{3,}px[^"]*margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "HTML analysis"
- "Exif analysis"
- "URL screenshot"
id: "5591f618-aed0-579d-9875-cdebdd72c6d2"