• Sublime Core Feed
Medium Severity

Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)

Labels

Credential Phishing
Free subdomain host
PDF
Social engineering
File analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
URL analysis

Description

Detects messages with credential theft PDFs linking to free subdomains.

References

No references.

Sublime Security
Created Jan 30th, 2024 • Last updated Jan 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence in ("medium", "high")
)
and any(attachments,
        .file_extension == "pdf"
        and any(file.explode(.),
                any(.scan.pdf.urls,
                    .domain.root_domain in $free_subdomain_hosts
                    and .domain.subdomain is not null
                    and .domain.subdomain != "www"
                )
                and any(ml.nlu_classifier(.scan.ocr.raw).intents,
                        .name == "cred_theft"
                        and .confidence in ("medium", "high")
                )
        )
)
// unsolicited
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started