← Back to Explore
sublimemediumRule
Credential theft: JavaScript date manipulation in HTML body
Detects inbound messages containing JavaScript that uses date manipulation functions (setDate/getDate) within script tags, combined with credential theft intent identified by NLU classification. This pattern is commonly used to evade detection by dynamically altering content or expiry logic while targeting user credentials.
Detection Query
type.inbound
and regex.contains(body.html.raw,
'<script[^>]*>[^<]*setDate\s*\(\s*[^<]*getDate\s*\('
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Credential theft: JavaScript date manipulation in HTML body"
description: "Detects inbound messages containing JavaScript that uses date manipulation functions (setDate/getDate) within script tags, combined with credential theft intent identified by NLU classification. This pattern is commonly used to evade detection by dynamically altering content or expiry logic while targeting user credentials."
type: "rule"
severity: "medium"
source: |
type.inbound
and regex.contains(body.html.raw,
'<script[^>]*>[^<]*setDate\s*\(\s*[^<]*getDate\s*\('
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Scripting"
- "Social engineering"
detection_methods:
- "HTML analysis"
- "Javascript analysis"
- "Natural Language Understanding"
id: "8bf474fc-c622-5d89-a1f2-6d1622e69188"