Detection rules › Sublime MQL
Body HTML: Comment with 24-character hex token
Detects messages containing HTML comments with exactly 24 hexadecimal characters, which may indicate tracking tokens, session identifiers, or other suspicious embedded data used for evasion or tracking purposes.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Spam |
| Tactics and techniques | Evasion |
Event coverage
Rule body MQL
type.inbound
and (
// 24-character hex token is the very first thing in HTML
regex.icontains(body.html.raw, '^\s*<!--\s*[a-f0-9]{24}\s*-->')
// exactly one comment and it's the hex token
or (
// hex is anywhere in html with no mso
any(html.xpath(body.html, '//comment()').nodes,
regex.icontains(.raw, '^<!--\s*[a-f0-9]{24}\s*-->$')
)
and not any(html.xpath(body.html, '//comment()').nodes,
strings.icontains(.raw, '[if')
)
)
)
Detection logic
Scope: inbound message.
Detects messages containing HTML comments with exactly 24 hexadecimal characters, which may indicate tracking tokens, session identifiers, or other suspicious embedded data used for evasion or tracking purposes.
- inbound message
any of:
- body.html.raw matches '^\\s*<!--\\s*[a-f0-9]{24}\\s*-->'
all of:
any of
html.xpath(body.html, '//comment()').nodeswhere:- .raw matches '^<!--\\s*[a-f0-9]{24}\\s*-->$'
not:
any of
html.xpath(body.html, '//comment()').nodeswhere:- .raw contains '[if'
Inspects: body.html, body.html.raw, type.inbound. Sensors: html.xpath, regex.icontains, strings.icontains.
Indicators matched (3)
| Field | Match | Value |
|---|---|---|
regex.icontains | regex | ^\s*<!--\s*[a-f0-9]{24}\s*--> |
regex.icontains | regex | ^<!--\s*[a-f0-9]{24}\s*-->$ |
strings.icontains | substring | [if |