Medium Severity

Attachment: EML with Suspicious Indicators

Labels

Credential Phishing

Evasion

Description

Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.

References

No references.

Sublime Security

Created Nov 19th, 2024 • Last updated Jun 2nd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  // a single attachmed EML
  length(attachments) == 1
  // or a single attached EML with one or more images used in the body of the message
  // likely within the signatures
  or (
    length(filter(attachments,
                  .file_extension == "eml" or .content_type == "message/rfc822"
           )
    ) == 1
    and length(filter(attachments,
                      .file_type in $file_types_images
                      and 
                      (
                        any(regex.extract(.content_id, '^<(?P<cid>.*)\>$'),
                          strings.icontains(body.html.raw,
                                            .named_groups["cid"]
                          )
                        )
                        or strings.icontains(body.html.raw, .content_id)
                      )
               )
    ) == length(attachments) - 1
  )
)
and (
  length(body.current_thread.text) < 300
  or body.current_thread.text is null
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name in ("cred_theft", "steal_pii")
  )
)
and not any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "benign" and .confidence == "high"
)
and any(attachments,
        (.file_extension == "eml" or .content_type == "message/rfc822")
        and (
          // suspicious indicators
          file.parse_eml(.).sender.email.email == ""
          or length(file.parse_eml(.).body.html.raw) < 10
          or length(file.parse_eml(.).headers.hops) < 2
          // the sender of the outer message is the recipient of the outer message
          // and the sender and recipient of the inner message
          or (
            sender.email.email in map(recipients.to, .email.email)
            and length(recipients.to) == 1
            and sender.email.email == file.parse_eml(.).sender.email.email
            and sender.email.email in map(file.parse_eml(.).recipients.to, .email.email) 
            and length(file.parse_eml(.).recipients.to) == 1
          )
          
        )
        and not (
          all(file.parse_eml(.).body.links,
              .href_url.domain.root_domain in ("aka.ms", "office365.com")
              or .href_url.url == "#additionalatt"
          )
          and strings.icontains(file.parse_eml(.).body.current_thread.text,
                                "We’re making sure your attachments are safe"
          )
        )
        and file.parse_eml(.).sender.email.domain.root_domain not in $org_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.