diff --git a/detection-rules/evasion_hidden_content_gmail.yml b/detection-rules/evasion_hidden_content_gmail.yml
new file mode 100644
index 00000000000..6af87da9b73
--- /dev/null
+++ b/detection-rules/evasion_hidden_content_gmail.yml
@@ -0,0 +1,20 @@
+name: "Evasion: Hidden content divs from Gmail sender"
+description: "Detects inbound messages from Gmail sender containing multiple hidden HTML div elements with specific styling properties (display:none, opacity:0, zero dimensions) that are commonly used to evade content filtering and detection systems."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and sender.email.domain.domain == 'gmail.com'
+  and strings.count(body.html.raw,
+                    '<div style="display:none;opacity:0;width:0;height:0;overflow:hidden" aria-hidden="true">'
+  ) >= 3
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Free email provider"
+detection_methods:
+  - "HTML analysis"
+  - "Content analysis"
+  - "Sender analysis"
+id: "15548316-19ca-5f81-91d4-98a877bae765"