Medium Severity

Link: Fake secure message notification template

Description

Detects inbound messages containing links that match a specific HTML styling fingerprint characterized by a distinctive blue color scheme (rgb(41, 88, 140)), a bottom border of 10px solid with the same blue, and a padding of 1.6em. This combination of CSS properties is associated with malicious messages designed to lure recipients into clicking embedded links.

References

No references.

Sublime Security
Created Jun 25th, 2026 • Last updated Jun 25th, 2026
Source
type.inbound
and length(body.links) > 0
and regex.icontains(body.html.raw,
                    'background-color\s*:\s*rgb\(41,\s*88,\s*140\)'
)
and regex.icontains(body.html.raw,
                    'border-bottom\s*:\s*10px\s+solid\s+rgb\(41,\s*88,\s*140\)'
)
and regex.icontains(body.html.raw, 'padding\s*:\s*1\.6em')
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started