Create link_microsoft_html_generator.yml

detection-rules/link_microsoft_html_generator.yml

@@ -0,0 +1,34 @@
+name: "Link: Microsoft HTML generator with recipient targeting"
+description: "Detects messages with HTML content generated by Microsoft tools (MSHTML) or specific CSS styling patterns, where links contain the recipient's email address in URL parameters, paths, or fragments. This targeting technique is commonly used to personalize malicious content and bypass security filters."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    length(html.xpath(body.html,
+                      "//div[contains(@style, 'ORPHANS: 2;') and contains(@style, 'WIDOWS: 2;')]"
+           ).nodes
+    ) == 2
+    or length(html.xpath(body.html,
+                         "//meta[@name='GENERATOR' and contains(@content, 'MSHTML')]"
+              ).nodes
+    ) == 1
+  )
+  and (
+    any(recipients.to,
+        any(body.links, ..email.email in .href_url.query_params_decoded["eta"])
+        or any(body.links, strings.icontains(.href_url.path, ..email.email))
+        or any(body.links, .href_url.fragment == ..email.email)
+    )
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "HTML analysis"
+  - "Content analysis"
+  - "URL analysis"
+id: "09d596e0-47eb-5403-9f1e-784474396a15"