← Back to Explore
sublimehighRule
Credential theft: Gophish abuse with hidden tracking image
Detects messages containing hidden tracking images with display:none style and tracking parameters in the source URL, commonly used for user tracking and engagement monitoring.
Detection Query
type.inbound
and (
strings.icontains(body.html.raw,
'<img alt='''' style=''display: none'' src='''
)
or strings.icontains(body.html.raw, 'img alt="" style="display: none" src="')
)
and strings.icontains(body.html.raw, '/track?rid=')
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Credential theft: Gophish abuse with hidden tracking image"
description: "Detects messages containing hidden tracking images with display:none style and tracking parameters in the source URL, commonly used for user tracking and engagement monitoring."
type: "rule"
severity: "high"
source: |
type.inbound
and (
strings.icontains(body.html.raw,
'<img alt='''' style=''display: none'' src='''
)
or strings.icontains(body.html.raw, 'img alt="" style="display: none" src="')
)
and strings.icontains(body.html.raw, '/track?rid=')
attack_types:
- "Spam"
tactics_and_techniques:
- "Evasion"
- "Image as content"
detection_methods:
- "Content analysis"
- "HTML analysis"
id: "59915ceb-4d7c-56ba-a28e-ccda8d95b5e2"