Description

Detects inbound messages that are not replies, forwards, or mailing list communications, and contain image attachments (JPG or PNG) alongside body text classified as romantic or sexually explicit in nature. The messages either include links to known redirector or free hosting domains (such as geno.link or sites.google.com), or exhibit advance-fee fraud intent while routing replies to a free email provider despite originating from a corporate-looking sender domain. Senders observed span spoofed government and business addresses as well as free webmail accounts, with subject lines using romantic or personal connection lures.

References

No references.

Sublime Security
Created Jul 1st, 2026 • Last updated Jul 1st, 2026
Source
type.inbound
and not subject.is_reply
and not subject.is_forward
and not any(headers.hops,
            any(.fields,
                strings.ilike(.name, "List-Id")
                or strings.ilike(.name, "List-Unsubscribe")
            )
)
and any(attachments, .file_type in ("jpg", "png"))
and any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in ("Romance", "Sexually Explicit Messages")
        and .confidence != 'low'
)
and (
  any(body.links, .href_url.domain.domain in ("geno.link", "sites.google.com"))
  or (
    any(headers.reply_to, .email.domain.root_domain in $free_email_providers)
    and sender.email.domain.root_domain not in $free_email_providers
    and any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "advance_fee" and .confidence != 'low'
    )
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started