• Sublime Core Feed
High Severity

Attachment: Office file contains OLE relationship to credential phishing page

Labels

Credential Phishing
Evasion
Social engineering
File analysis
HTML analysis
Natural Language Understanding
OLE analysis
URL analysis

Description

Office file OLE relationship link is a credential page, or contains credential phishing language.

References

No references.

Sublime Security
Created Aug 25th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        (
          .file_extension in~ $file_extensions_macros
          or (
            .file_extension is null
            and .file_type == "unknown"
            and .content_type == "application/octet-stream"
            and .size < 100000000
          )
        )
        and length(file.oletools(.).relationships) < 500
        and any(file.oletools(.).relationships,
                (
                  any(ml.nlu_classifier(ml.link_analysis(.target_url).final_dom.display_text
                      ).intents,
                      .name == "cred_theft"
                      and .confidence in ("medium", "high")
                  )
                  and .target_url.domain.root_domain not in ("google.com", "goo.gl")
                 
                  and ml.link_analysis(.target_url).effective_url.domain.domain != "login.microsoftonline.com"
                )
                or ml.link_analysis(.target_url).credphish.disposition == "phishing"
        )
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started