Medium Severity

Credential theft: JavaScript date manipulation in HTML body

Description

Detects inbound messages containing JavaScript that uses date manipulation functions (setDate/getDate) within script tags, combined with credential theft intent identified by NLU classification. This pattern is commonly used to evade detection by dynamically altering content or expiry logic while targeting user credentials.

References

No references.

Sublime Security
Created Jun 29th, 2026 • Last updated Jun 29th, 2026
Source
type.inbound
and regex.contains(body.html.raw,
                   '<script[^>]*>[^<]*setDate\s*\(\s*[^<]*getDate\s*\('
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft"
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started