From 20c5d5705ed00471fd4ef0ef694958c9a6525cd0 Mon Sep 17 00:00:00 2001 From: Daniel Bolton Date: Tue, 4 Nov 2025 12:42:35 -0600 Subject: [PATCH 1/3] new rule --- ...headers_mailer_contains_hidden_content.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 detection-rules/headers_mailer_contains_hidden_content.yml diff --git a/detection-rules/headers_mailer_contains_hidden_content.yml b/detection-rules/headers_mailer_contains_hidden_content.yml new file mode 100644 index 00000000000..23c0100a928 --- /dev/null +++ b/detection-rules/headers_mailer_contains_hidden_content.yml @@ -0,0 +1,21 @@ +name: "Headers: Microsoft CDO or PHPMailer with hidden HTML content" +description: "Detects messages sent via Microsoft CDO for Windows 2000 or PHPMailer that contain HTML paragraph elements with transparent text or hidden content styling, commonly used to evade content analysis." +type: "rule" +severity: "low" +source: | + type.inbound + and (headers.mailer == 'Microsoft CDO for Windows 2000' or strings.ilike(headers.mailer, "PHPMailer*")) + and any(html.xpath(body.html, '//p').nodes, + .display_text == '' and + .inner_text == '' and + regex.icontains(.raw, '[^-]color\s*:\s*transparent|mso-hide\s*:\s*all')) + +attack_types: + - "Credential Phishing" + - "Spam" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Content analysis" + - "Header analysis" + - "HTML analysis" \ No newline at end of file From e3101eca5856d3547ac2d3d3b7b9832b795611d8 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Tue, 4 Nov 2025 18:45:32 +0000 Subject: [PATCH 2/3] Auto add rule ID --- detection-rules/headers_mailer_contains_hidden_content.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection-rules/headers_mailer_contains_hidden_content.yml b/detection-rules/headers_mailer_contains_hidden_content.yml index 23c0100a928..e9c9777d206 100644 --- a/detection-rules/headers_mailer_contains_hidden_content.yml +++ b/detection-rules/headers_mailer_contains_hidden_content.yml @@ -18,4 +18,5 @@ tactics_and_techniques: detection_methods: - "Content analysis" - "Header analysis" - - "HTML analysis" \ No newline at end of file + - "HTML analysis" +id: "550f1cff-6203-543a-9aa4-54717148bca9" From 6544e8becb59918db97850c942f57504ecbf0be2 Mon Sep 17 00:00:00 2001 From: Daniel Bolton Date: Wed, 5 Nov 2025 08:56:06 -0600 Subject: [PATCH 3/3] fix formatting --- .../headers_mailer_contains_hidden_content.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/detection-rules/headers_mailer_contains_hidden_content.yml b/detection-rules/headers_mailer_contains_hidden_content.yml index e9c9777d206..542962dd434 100644 --- a/detection-rules/headers_mailer_contains_hidden_content.yml +++ b/detection-rules/headers_mailer_contains_hidden_content.yml @@ -4,11 +4,17 @@ type: "rule" severity: "low" source: | type.inbound - and (headers.mailer == 'Microsoft CDO for Windows 2000' or strings.ilike(headers.mailer, "PHPMailer*")) + and ( + headers.mailer == 'Microsoft CDO for Windows 2000' + or strings.ilike(headers.mailer, "PHPMailer*") + ) and any(html.xpath(body.html, '//p').nodes, - .display_text == '' and - .inner_text == '' and - regex.icontains(.raw, '[^-]color\s*:\s*transparent|mso-hide\s*:\s*all')) + .display_text == '' + and .inner_text == '' + and regex.icontains(.raw, + '[^-]color\s*:\s*transparent|mso-hide\s*:\s*all' + ) + ) attack_types: - "Credential Phishing"