EXPLORE
← Back to Explore
sublimemediumRule

Body: Suspicious table template fingerprint

Detects messages matching a specific HTML template fingerprint characterized by a table containing both 'Important' and 'Company' text nodes. This pattern is associated with a known malicious message template used to deceive recipients.

MITRE ATT&CK

initial-accessdefense-evasion

Detection Query

type.inbound
// table template fingerprint containing "important" and "company"
and any(html.xpath(body.html, '//td[contains(@style, "background-color")]').nodes,
        .display_text == "Important"
)
and any(html.xpath(body.html, '//td[contains(@style, "background-color")]').nodes,
        .display_text == "Company"
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Body: Suspicious table template fingerprint"
description: "Detects messages matching a specific HTML template fingerprint characterized by a table containing both 'Important' and 'Company' text nodes. This pattern is associated with a known malicious message template used to deceive recipients."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // table template fingerprint containing "important" and "company"
  and any(html.xpath(body.html, '//td[contains(@style, "background-color")]').nodes,
          .display_text == "Important"
  )
  and any(html.xpath(body.html, '//td[contains(@style, "background-color")]').nodes,
          .display_text == "Company"
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
  - "Evasion"
detection_methods:
  - "HTML analysis"
  - "Content analysis"
id: "bb4517b1-9ec2-5d8e-86d8-51086293254a"