← Back to Explore
sublimelowRule
Anthropic Magic String in HTML
Detects messages containing the specific test string 'ANTHROPIC_MAGIC_STRING' in the plain text body content.
Detection Query
type.inbound
and length(attachments) <= 3
and (
strings.icontains(body.html.raw, 'ANTHROPIC_MAGIC_STRING_')
or strings.icontains(body.plain.raw, 'ANTHROPIC_MAGIC_STRING_')
or strings.icontains(body.html.display_text, 'ANTHROPIC_MAGIC_STRING_')
or any(attachments,
any(file.explode(.),
strings.icontains(.scan.ocr.raw, "ANTHROPIC_MAGIC_STRING_")
or strings.icontains(.scan.strings.raw, "ANTHROPIC_MAGIC_STRING_")
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Anthropic Magic String in HTML"
description: "Detects messages containing the specific test string 'ANTHROPIC_MAGIC_STRING' in the plain text body content."
type: "rule"
severity: "low"
source: |
type.inbound
and length(attachments) <= 3
and (
strings.icontains(body.html.raw, 'ANTHROPIC_MAGIC_STRING_')
or strings.icontains(body.plain.raw, 'ANTHROPIC_MAGIC_STRING_')
or strings.icontains(body.html.display_text, 'ANTHROPIC_MAGIC_STRING_')
or any(attachments,
any(file.explode(.),
strings.icontains(.scan.ocr.raw, "ANTHROPIC_MAGIC_STRING_")
or strings.icontains(.scan.strings.raw, "ANTHROPIC_MAGIC_STRING_")
)
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Exploit"
detection_methods:
- "Content analysis"
id: "d860c6a8-9834-5bc1-96c1-f3f7e1217f40"