← Back to Explore
sublimehighRule
Attachment: HTML with hidden body
This rule identifies HTML attachments which begin directly with a hidden body element. This has been observed in phishing campaigns to hide the content of an otherwise benign HTML attachment that then has remote content injected into the body.
Detection Query
type.inbound
and not profile.by_sender().solicited
// not high trust sender domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and any(attachments,
.file_extension == "html"
// starts with the hidden body element
and regex.icontains(file.parse_html(.).raw,
'^<body style\s*=\s*"\s*display\s*:\s*none\s*;\s*">'
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: HTML with hidden body"
description: "This rule identifies HTML attachments which begin directly with a hidden body element. This has been observed in phishing campaigns to hide the content of an otherwise benign HTML attachment that then has remote content injected into the body."
type: "rule"
severity: "high"
source: |
type.inbound
and not profile.by_sender().solicited
// not high trust sender domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and any(attachments,
.file_extension == "html"
// starts with the hidden body element
and regex.icontains(file.parse_html(.).raw,
'^<body style\s*=\s*"\s*display\s*:\s*none\s*;\s*">'
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Scripting"
detection_methods:
- "Content analysis"
- "HTML analysis"
- "File analysis"
id: "b059a781-b681-5c84-98ba-416deb165555"