Medium Severity

Credential theft: JavaScript date manipulation in HTML body

Labels

Credential Phishing
Evasion
Scripting
Social engineering
HTML analysis
Javascript analysis
Natural Language Understanding

Description

Detects inbound messages containing JavaScript that uses date manipulation functions (setDate/getDate) within script tags, combined with credential theft intent identified by NLU classification. This pattern is commonly used to evade detection by dynamically altering content or expiry logic while targeting user credentials.

References

No references.

Sublime Security
Created Jun 29th, 2026 • Last updated Jun 29th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and regex.contains(body.html.raw,
                   '<script[^>]*>[^<]*setDate\s*\(\s*[^<]*getDate\s*\('
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft"
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started