EXPLORE
← Back to Explore
sublimemediumRule

Credential theft: JavaScript date manipulation in HTML body

Detects inbound messages containing JavaScript that uses date manipulation functions (setDate/getDate) within script tags, combined with credential theft intent identified by NLU classification. This pattern is commonly used to evade detection by dynamically altering content or expiry logic while targeting user credentials.

MITRE ATT&CK

defense-evasionexecutioninitial-access

Detection Query

type.inbound
and regex.contains(body.html.raw,
                   '<script[^>]*>[^<]*setDate\s*\(\s*[^<]*getDate\s*\('
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft"
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Credential theft: JavaScript date manipulation in HTML body"
description: "Detects inbound messages containing JavaScript that uses date manipulation functions (setDate/getDate) within script tags, combined with credential theft intent identified by NLU classification. This pattern is commonly used to evade detection by dynamically altering content or expiry logic while targeting user credentials."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and regex.contains(body.html.raw,
                     '<script[^>]*>[^<]*setDate\s*\(\s*[^<]*getDate\s*\('
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "cred_theft"
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Scripting"
  - "Social engineering"
detection_methods:
  - "HTML analysis"
  - "Javascript analysis"
  - "Natural Language Understanding"
id: "8bf474fc-c622-5d89-a1f2-6d1622e69188"