
Summary
This rule detects inbound messages that attempt credential theft by combining malicious JavaScript in an HTML body with a credential-theft intent identified by a natural language understanding (NLU) classifier. Specifically, it looks for a script tag containing JavaScript date manipulation (setDate/getDate) within the HTML body, which is a common evasion technique to alter expiry or content logic. It augments this with a positive NLU signal (intent name cred_theft) derived from the message context to signal credential theft intent. When both conditions are met, the rule flags a credential phishing scenario that leverages scripting and evasion to mislead users into divulging credentials.
Categories
- Web
Data Sources
- Script
Created: 2026-06-30