High Severity

HTML: Template placeholders or recipient email in element class attributes

Description

Detects inbound messages where HTML element class attributes contain either unfilled template placeholders (e.g., {email}, {RECIPIENT_EMAIL}, {domain}) or the recipient's actual email address — optionally wrapped in curly braces. This pattern indicates a bulk-sending infrastructure that failed to substitute personalization tokens, or one that embeds recipient identifiers directly into HTML class names for tracking or evasion purposes. Observed samples follow a consistent pattern: subjects contain numeric identifiers flanking the recipient's email address, and senders vary across unrelated domains, suggesting a coordinated operation targeting multiple organizations including technology and fitness brands.

References

No references.

Sublime Security
Created Jun 30th, 2026 • Last updated Jun 30th, 2026
Source
type.inbound
and (
  // observed unpopulated template variables in class names
  any(html.xpath(body.html, "//*/@class").nodes,
      regex.icontains(.raw,
                      '\{\s*(?:domain|email|(?:RECIPIENT|SENDER)[_\s]?EMAIL)\s*\}'
      )
  )

  // check where class names _are_ the email address, or contain the email address are wrapped in { } or start/end with { or }
  or any(recipients.to,
         .email.email != ""
         and any(html.xpath(body.html, "//*/@class").nodes,
                 .raw =~ ..email.email
                 or .raw =~ strings.concat("{", ..email.email, "}")
                 or .raw =~ strings.concat("{", ..email.email)
                 or .raw =~ strings.concat(..email.email, "}")
         )
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started