[Shared Samples] [PR #4308] added rule: PR# 4308 - Body HTML: Hidden conversation thread indicators in HTML

github-actions[bot] · github-actions[bot] · commit 719f5a8fbe5c · 2026-04-03T21:33:14.000Z
diff --git a/detection-rules/4308_body_html_hidden_conversation.yml b/detection-rules/4308_body_html_hidden_conversation.yml
@@ -0,0 +1,40 @@
+name: "PR# 4308 - Body HTML: Hidden conversation thread indicators in HTML"
+description: "Detects messages instances of email header fields (From, To, Date) and recipient email addresses hidden within the HTML source code that are not visible in the displayed text, potentially indicating thread hijacking or conversation spoofing."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and strings.icontains(body.html.inner_text, 'from:')
+  and strings.icontains(body.html.inner_text, 'to:')
+  and strings.icontains(body.html.inner_text, 'date:')
+  and strings.icount(body.html.inner_text,
+                     strings.concat('<', recipients.to[0].email.email, '>')
+  ) >= 2
+  and not (
+    strings.icontains(body.html.display_text, 'from:')
+    and strings.icontains(body.html.display_text, 'to:')
+    and strings.icontains(body.html.display_text, 'date:')
+  )
+  and strings.icount(body.html.display_text,
+                     strings.concat('<', recipients.to[0].email.email, '>')
+  ) == 0
+  and not coalesce(headers.return_path.domain.subdomain == 'gerritcodereview.bounces',
+                   false
+  )
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "HTML smuggling"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "HTML analysis"
+id: "de0cf949-e38e-5a1a-b927-96cd1e6b4531"
+tags:
+  - created_from_open_prs
+  - rule_status_added
+  - pr_author_D-Bolton
+references:
+  - https://github.com/sublime-security/sublime-rules/pull/4308
