HTML smuggling — Blob/createObjectURL + large base64 payload in body (Mamba 2FA / Tycoon / QakBot pattern)
mamba-tycoon-obfuscated-html-b64-blob
What this tier means
High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.
How Gorganizer detects this
HTML body contains a `new Blob()` or `URL.createObjectURL()` construct combined with a large base64 string (>=200 chars) — the HTML-smuggling delivery pattern for ZIPs, PEs, and PDFs behind the Mamba 2FA, Tycoon 2FA, and QakBot campaigns. Predictable payload headers (UEsDB for ZIP, TVpQA for PE, JVBER for PDF) add strong confidence. MITRE ATT&CK T1027.006. Bypasses URL reputation scanners entirely because the payload is reconstructed in the browser.
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started