
Summary
Detects inbound emails where HTML element class attributes contain unfilled template placeholders (e.g., {email}, {RECIPIENT_EMAIL}, {domain}) or the recipient’s actual address, optionally wrapped in braces. It also flags cases where the class value is the email address itself, or where the address appears inside braces (e.g., {user@example.com}, {user@example.com} or {user@example.com).). This pattern indicates a bulk-sending infrastructure that failed to substitute personalization tokens or a mechanism embedding recipient identifiers into HTML class names for tracking or evasion. Observed samples show subjects containing numeric identifiers flanking the recipient’s email, with senders from unrelated domains, suggesting a coordinated operation targeting multiple organizations across industries (including technology and fitness brands). The detection uses HTML analysis to extract class attributes from the email body and content analysis with regex checks for placeholders and embedded addresses. The rule is high-severity and maps to credential phishing and BEC/fraud. Tactics include evasion and social engineering, while techniques focus on HTML/content inspection to surface tokenization failures or identifier leakage.
Categories
- Web
- Application
Data Sources
- Script
Created: 2026-07-01