Update spam_image_hidden_element.yml (#2309)

sublime-security · Jan 14, 2025 · 5607dfb · 5607dfb
1 parent 5ddd3e8
commit 5607dfb
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/detection-rules/spam_image_hidden_element.yml b/detection-rules/spam_image_hidden_element.yml
@@ -53,10 +53,10 @@ source: |
       or 
       // the hidden span/div is before the body/meta
       regex.contains(body.html.raw,
-                     '<(?:span|div)[^\>]*style=\x22[^\x22]*\s*(?:display\s*\x3a\s*none|visibility\s*\x3a\s*hidden)\x3b[^\x22]*\x22(?:\s*\w+=\"\w+\")*>\s*\<(?:body|meta)'
+                     '<(?:span|div)[^\>]*style=\x22[^\x22]*\s*(?:display\s*\x3a\s*none|visibility\s*\x3a\s*hidden)\x3b[^\x22]*\x22(?:\s*\w+=\"\w+\")*>\s*\<(?:body|meta|(?:<?div[^\>]+\>\s*(?:[^\<]*|<[a-z]+>\s*)<\/div>\s*){2,})'
       )
       // the length of the inner text is greather than or equal to 10x more than the display text
-      // this attempts to generically cover multiple methods of hidding text
+      // this attempts to generically cover multiple methods of hiding text
       or length(body.html.inner_text) >= (length(body.html.display_text) * 10)
     )
   )