Skip to content

Create html_cred_link.yml#4658

Open
cybher0808 wants to merge 4 commits into
mainfrom
cybher0808.fn.esc-15469.htmlcred
Open

Create html_cred_link.yml#4658
cybher0808 wants to merge 4 commits into
mainfrom
cybher0808.fn.esc-15469.htmlcred

Conversation

@cybher0808

@cybher0808 cybher0808 commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Member

Description

Created this rule for coverage of FN's in the que. Detects messages containing specific HTML print styling directives with credential theft language.

Associated samples

Associated hunts

@cybher0808
Create html_cred_link.yml
68df333 
This rule detects HTML content with specific print styling and credential theft language, indicating potential phishing attempts.
@cybher0808 cybher0808 requested a review from a team June 12, 2026 16:00
@cybher0808 cybher0808 requested a review from a team as a code owner June 12, 2026 16:00
@cybher0808 cybher0808 self-assigned this Jun 12, 2026
cybher0808 and others added 3 commits June 12, 2026 12:25
@cybher0808
Update html_cred_link.yml
4fa4505 
small change to if this commit will pass
@cybher0808
Rename folder to pass commit
168d838 
Ran into the issue before with the wrong folder path.
Auto-format MQL and add rule IDs
54aef4b
@cybher0808 cybher0808 added the in-test-rules PR is in our testing suite to collect telemetry label Jun 12, 2026
github-actions Bot added a commit that referenced this pull request Jun 12, 2026
@github-actions
[Test Rules] [PR #4658] added rule: HTML content with print styling a…
37beb9d 
…nd credential theft language
github-actions Bot added a commit that referenced this pull request Jun 12, 2026
@github-actions
[Shared Samples] [PR #4658] added rule: PR# 4658 - HTML content with …
16170be 
…print styling and credential theft language
@cybher0808

cybher0808 commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

Results target a bunch of malicious and more than 100+ FN's. See notes for further details ESC-15469.
Marking for R4R to get feedback to get this out possibly sooner.

@cybher0808 cybher0808 added the review-needed Indicates that a PR is waiting for review label Jun 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@cybher0808 cybher0808

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cybher0808