• Sublime Core Feed
High Severity

HTML smuggling with atob in message body

Labels

Credential Phishing
Malware/Ransomware
HTML smuggling
Content analysis
HTML analysis

Description

Detects if the email body HTML contains the document write or insertAdjacentHTML method and atob function call. This technique has been observed leading to credential phishing.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Jan 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (length(body.plain.raw) < 200 or body.plain.raw is null)
and regex.icontains(body.html.raw,
                    "document.{0,10}(write|insertAdjacentHTML).{0,10}atob"
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started