[Shared Samples] [PR #4701] added rule: PR# 4701 - Body: Suspicious table template fingerprint

github-actions[bot] · github-actions[bot] · commit c2b9c8bc8cd6 · 2026-06-18T21:02:51.000Z
diff --git a/detection-rules/4701_body_suspicious_table_template.yml b/detection-rules/4701_body_suspicious_table_template.yml
@@ -0,0 +1,28 @@
+name: "PR# 4701 - Body: Suspicious table template fingerprint"
+description: "Detects messages matching a specific HTML template fingerprint characterized by a table containing both 'Important' and 'Company' text nodes. This pattern is associated with a known malicious message template used to deceive recipients."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // table template fingerprint — any background color
+  and any(html.xpath(body.html, '//td[contains(@style, "background-color")]').nodes,
+          .display_text == "Important"
+  )
+  and any(html.xpath(body.html, '//td[contains(@style, "background-color")]').nodes,
+          .display_text == "Company"
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "HTML analysis"
+  - "Content analysis"
+id: "7e88995c-080e-54c7-8ff6-7b8541a34cef"
+tags:
+  - created_from_open_prs
+  - rule_status_added
+  - pr_author_IndiaAce
+references:
+  - https://github.com/sublime-security/sublime-rules/pull/4701
