From e32948357dfa73c73587f8e60d28a471a35daad7 Mon Sep 17 00:00:00 2001
From: Daniel Bolton <daniel@sublimesecurity.com>
Date: Tue, 9 Jun 2026 19:54:19 +0200
Subject: [PATCH 1/2] Create evasion_hidden_content_gmail.yml

---
 .../evasion_hidden_content_gmail.yml            | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 detection-rules/evasion_hidden_content_gmail.yml

diff --git a/detection-rules/evasion_hidden_content_gmail.yml b/detection-rules/evasion_hidden_content_gmail.yml
new file mode 100644
index 00000000000..ca83fcce313
--- /dev/null
+++ b/detection-rules/evasion_hidden_content_gmail.yml
@@ -0,0 +1,17 @@
+name: "Evasion: Hidden content divs from Gmail sender"
+description: "Detects inbound messages from Gmail sender containing multiple hidden HTML div elements with specific styling properties (display:none, opacity:0, zero dimensions) that are commonly used to evade content filtering and detection systems."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and sender.email.domain.domain == 'gmail.com'
+  and strings.count(body.html.raw, '<div style="display:none;opacity:0;width:0;height:0;overflow:hidden" aria-hidden="true">') >= 3
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Free email provider"
+detection_methods:
+  - "HTML analysis"
+  - "Content analysis"
+  - "Sender analysis"
\ No newline at end of file

From 49914052939580d125e777347597a3530261c826 Mon Sep 17 00:00:00 2001
From: CI Bot <hello@sublimesecurity.com>
Date: Tue, 9 Jun 2026 17:56:20 +0000
Subject: [PATCH 2/2] Auto-format MQL and add rule IDs

---
 detection-rules/evasion_hidden_content_gmail.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/detection-rules/evasion_hidden_content_gmail.yml b/detection-rules/evasion_hidden_content_gmail.yml
index ca83fcce313..6af87da9b73 100644
--- a/detection-rules/evasion_hidden_content_gmail.yml
+++ b/detection-rules/evasion_hidden_content_gmail.yml
@@ -5,7 +5,9 @@ severity: "medium"
 source: |
   type.inbound
   and sender.email.domain.domain == 'gmail.com'
-  and strings.count(body.html.raw, '<div style="display:none;opacity:0;width:0;height:0;overflow:hidden" aria-hidden="true">') >= 3
+  and strings.count(body.html.raw,
+                    '<div style="display:none;opacity:0;width:0;height:0;overflow:hidden" aria-hidden="true">'
+  ) >= 3
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
@@ -14,4 +16,5 @@ tactics_and_techniques:
 detection_methods:
   - "HTML analysis"
   - "Content analysis"
-  - "Sender analysis"
\ No newline at end of file
+  - "Sender analysis"
+id: "15548316-19ca-5f81-91d4-98a877bae765"