From dcfd480d5f1148858d8ed8ab5fb8be84abc7c253 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Tue, 14 Jan 2025 09:54:37 -0600
Subject: [PATCH 1/2] Update spam_image_hidden_element.yml

---
 detection-rules/spam_image_hidden_element.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/spam_image_hidden_element.yml b/detection-rules/spam_image_hidden_element.yml
index f75e545b38f..0b0444de71f 100644
--- a/detection-rules/spam_image_hidden_element.yml
+++ b/detection-rules/spam_image_hidden_element.yml
@@ -53,7 +53,7 @@ source: |
       or 
       // the hidden span/div is before the body/meta
       regex.contains(body.html.raw,
-                     '<(?:span|div)[^\>]*style=\x22[^\x22]*\s*(?:display\s*\x3a\s*none|visibility\s*\x3a\s*hidden)\x3b[^\x22]*\x22(?:\s*\w+=\"\w+\")*>\s*\<(?:body|meta)'
+                     '<(?:span|div)[^\>]*style=\x22[^\x22]*\s*(?:display\s*\x3a\s*none|visibility\s*\x3a\s*hidden)\x3b[^\x22]*\x22(?:\s*\w+=\"\w+\")*>\s*\<(?:body|meta|(?:<?div[^\>]+\>\s*(?:[^\<]*|<[a-z]+>\s*)<\/div>\s*){2,})'
       )
       // the length of the inner text is greather than or equal to 10x more than the display text
       // this attempts to generically cover multiple methods of hidding text

From fec7f78d73c144a3004e3fbc31443c6e1fd6b0e4 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Tue, 14 Jan 2025 10:21:51 -0600
Subject: [PATCH 2/2] fix typo

---
 detection-rules/spam_image_hidden_element.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/spam_image_hidden_element.yml b/detection-rules/spam_image_hidden_element.yml
index 0b0444de71f..8aa9b7568d6 100644
--- a/detection-rules/spam_image_hidden_element.yml
+++ b/detection-rules/spam_image_hidden_element.yml
@@ -56,7 +56,7 @@ source: |
                      '<(?:span|div)[^\>]*style=\x22[^\x22]*\s*(?:display\s*\x3a\s*none|visibility\s*\x3a\s*hidden)\x3b[^\x22]*\x22(?:\s*\w+=\"\w+\")*>\s*\<(?:body|meta|(?:<?div[^\>]+\>\s*(?:[^\<]*|<[a-z]+>\s*)<\/div>\s*){2,})'
       )
       // the length of the inner text is greather than or equal to 10x more than the display text
-      // this attempts to generically cover multiple methods of hidding text
+      // this attempts to generically cover multiple methods of hiding text
       or length(body.html.inner_text) >= (length(body.html.display_text) * 10)
     )
   )