From fc9eff4c1d6d8e02d98b91ad9688fc5ffb5ebb63 Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Mon, 22 Dec 2025 15:58:50 -0600
Subject: [PATCH 1/2] Create link_microsoft_html_generator.yml

---
 .../link_microsoft_html_generator.yml         | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 detection-rules/link_microsoft_html_generator.yml

diff --git a/detection-rules/link_microsoft_html_generator.yml b/detection-rules/link_microsoft_html_generator.yml
new file mode 100644
index 00000000000..6f3947c17eb
--- /dev/null
+++ b/detection-rules/link_microsoft_html_generator.yml
@@ -0,0 +1,33 @@
+name: "Link: Microsoft HTML generator with recipient targeting"
+description: "Detects messages with HTML content generated by Microsoft tools (MSHTML) or specific CSS styling patterns, where links contain the recipient's email address in URL parameters, paths, or fragments. This targeting technique is commonly used to personalize malicious content and bypass security filters."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    length(html.xpath(body.html,
+                      "//div[contains(@style, 'ORPHANS: 2;') and contains(@style, 'WIDOWS: 2;')]"
+           ).nodes
+    ) == 2
+    or length(html.xpath(body.html,
+                         "//meta[@name='GENERATOR' and contains(@content, 'MSHTML')]"
+              ).nodes
+    ) == 1
+  )
+  and (
+    any(recipients.to,
+        any(body.links, ..email.email in .href_url.query_params_decoded["eta"])
+        or any(body.links, strings.icontains(.href_url.path, ..email.email))
+        or any(body.links, .href_url.fragment == ..email.email)
+    )
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "HTML analysis"
+  - "Content analysis"
+  - "URL analysis"

From 48ef3ca6950da4d1bc3ce7bd32553e9f3af3b2fd Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Mon, 22 Dec 2025 22:02:53 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 detection-rules/link_microsoft_html_generator.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/link_microsoft_html_generator.yml b/detection-rules/link_microsoft_html_generator.yml
index 6f3947c17eb..760a1aae3e8 100644
--- a/detection-rules/link_microsoft_html_generator.yml
+++ b/detection-rules/link_microsoft_html_generator.yml
@@ -31,3 +31,4 @@ detection_methods:
   - "HTML analysis"
   - "Content analysis"
   - "URL analysis"
+id: "09d596e0-47eb-5403-9f1e-784474396a15"