• Sublime Core Feed
Medium Severity

Attachment: Small text file with link containing recipient email address

Labels

Credential Phishing
Evasion
Social engineering
File analysis
URL analysis

Description

Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links.

References

No references.

Sublime Security
Created May 14th, 2024 • Last updated Jan 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        .content_type in~ ("text/plain", "text")
        // negate calendar invites
        and not (
          .file_extension == "ics"
          or .content_type in ("application/ics", "text/calendar")
        )
        and any(file.explode(.),
                .size < 1000
                and any(.scan.url.urls,
                        any(recipients.to,
                            strings.icontains(..url, .email.email)
                            and .email.domain.valid
                        )
                )
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started