← Back to Explore
sublimemediumRule
Body: Suspicious table template fingerprint
Detects messages matching a specific HTML template fingerprint characterized by a table containing both 'Important' and 'Company' text nodes. This pattern is associated with a known malicious message template used to deceive recipients.
Detection Query
type.inbound
// table template fingerprint containing "important" and "company"
and any(html.xpath(body.html, '//td[contains(@style, "background-color")]').nodes,
.display_text == "Important"
)
and any(html.xpath(body.html, '//td[contains(@style, "background-color")]').nodes,
.display_text == "Company"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Body: Suspicious table template fingerprint"
description: "Detects messages matching a specific HTML template fingerprint characterized by a table containing both 'Important' and 'Company' text nodes. This pattern is associated with a known malicious message template used to deceive recipients."
type: "rule"
severity: "medium"
source: |
type.inbound
// table template fingerprint containing "important" and "company"
and any(html.xpath(body.html, '//td[contains(@style, "background-color")]').nodes,
.display_text == "Important"
)
and any(html.xpath(body.html, '//td[contains(@style, "background-color")]').nodes,
.display_text == "Company"
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
- "Evasion"
detection_methods:
- "HTML analysis"
- "Content analysis"
id: "bb4517b1-9ec2-5d8e-86d8-51086293254a"