High Severity

HTML content with print styling and credential theft language

Labels

Credential Phishing
Evasion
HTML smuggling
Social engineering
Content analysis
HTML analysis
Natural Language Understanding

Description

Detects messages containing specific HTML print styling directives combined with high or medium confidence credential theft language, often used to format malicious content for printing or display.

References

No references.

Sublime Security
Created Jun 16th, 2026 • Last updated Jun 16th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and strings.icontains(body.html.raw,
                      '<style>html {-webkit-print-color-adjust: exact} @media print {html, body {margin: 0; padding: 0; break-inside: avoid; page-break-inside: avoid}}'
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == 'cred_theft' and .confidence != 'low'
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started