High Severity

Link: Credential theft with invisible Unicode character in page title from unsolicited sender

Labels

Credential Phishing

Evasion

Social engineering

Natural Language Understanding

Description

Detects messages containing credential theft language and links to pages with invisible Unicode characters in the title tag, a technique commonly used to evade detection in fraudulent pages.

References

No references.

Sublime Security

Created Feb 13th, 2026 • Last updated Feb 13th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// single recipient
and length(recipients.to) == 1
// valid recipient domain
and recipients.to[0].email.domain.valid
// between 1 and 14 links in the email
and 0 < length(body.links) < 15
// length of current thread is under 11k
and length(body.current_thread.text) < 11000
// tycoon captchas often have a page title with a specific unicode invisible char
and any(body.links,
        strings.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
                         "<title>\u{200B}</title>"
        )
        and length(ml.link_analysis(., mode="aggressive").final_dom.raw) < 10000
)
// unsolicited message
and not profile.by_sender().solicited

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.