← Back to Explore
sublimemediumRule
Body HTML: Recipient SLD in HTML class
Detects when there is a single recipient within $org_domains where the domain SLD is concealed within HTML class attributes. The message comes from either an unauthenticated trusted sender or an untrusted source.
Detection Query
type.inbound
// not an org_domain which passed dmarc
and not (
sender.email.domain.domain in $org_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// a single recipient within the org_domains
and (
length(recipients.to) == 1
and all(recipients.to, .email.domain.domain in $org_domains)
)
// there are more than 30 class attributes containing the recipient's SLD
and length(filter(html.xpath(body.html, '//@class').nodes,
any(recipients.to,
// the class name is the same
..raw =~ .email.domain.sld
// a specific observed pattern with a prefix of x_hz
or strings.istarts_with(..raw,
strings.concat('x_hz',
.email.domain.sld
)
)
)
)
) > 30
// 80% or more the class attributes contain the recipient's SLD
and ratio(html.xpath(body.html, '//@class').nodes,
any(recipients.to,
// the class name is the same
..raw =~ .email.domain.sld
// a specific observed pattern with a prefix of x_hz
or strings.istarts_with(..raw,
strings.concat('x_hz', .email.domain.sld)
)
)
) > 0.80
// not replies
and not (length(headers.references) > 0 or headers.in_reply_to is not null)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Body HTML: Recipient SLD in HTML class"
description: "Detects when there is a single recipient within $org_domains where the domain SLD is concealed within HTML class attributes. The message comes from either an unauthenticated trusted sender or an untrusted source."
type: "rule"
severity: "medium"
source: |
type.inbound
// not an org_domain which passed dmarc
and not (
sender.email.domain.domain in $org_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// a single recipient within the org_domains
and (
length(recipients.to) == 1
and all(recipients.to, .email.domain.domain in $org_domains)
)
// there are more than 30 class attributes containing the recipient's SLD
and length(filter(html.xpath(body.html, '//@class').nodes,
any(recipients.to,
// the class name is the same
..raw =~ .email.domain.sld
// a specific observed pattern with a prefix of x_hz
or strings.istarts_with(..raw,
strings.concat('x_hz',
.email.domain.sld
)
)
)
)
) > 30
// 80% or more the class attributes contain the recipient's SLD
and ratio(html.xpath(body.html, '//@class').nodes,
any(recipients.to,
// the class name is the same
..raw =~ .email.domain.sld
// a specific observed pattern with a prefix of x_hz
or strings.istarts_with(..raw,
strings.concat('x_hz', .email.domain.sld)
)
)
) > 0.80
// not replies
and not (length(headers.references) > 0 or headers.in_reply_to is not null)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "HTML analysis"
- "Header analysis"
- "Sender analysis"
id: "d395e41d-534f-5a55-9dce-57f5d0856bf7"