• Sublime Core Feed
High Severity

Credential theft: Gophish abuse with hidden tracking image

Labels

Spam
Evasion
Image as content
Content analysis
HTML analysis

Description

Detects messages containing hidden tracking images with display:none style and tracking parameters in the source URL, commonly used for user tracking and engagement monitoring.

References

No references.

Sublime Security
Created Nov 5th, 2025 • Last updated Nov 5th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  strings.icontains(body.html.raw,
                    '<img alt='''' style=''display: none'' src='''
  )
  or strings.icontains(body.html.raw, 'img alt="" style="display: none" src="')
)
and strings.icontains(body.html.raw, '/track?rid=')
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started