• Sublime Core Feed
Medium Severity

Brand Impersonation: Mailchimp

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Computer Vision
Natural Language Understanding
Content analysis
Header analysis
Sender analysis

Description

Detects messages from senders impersonating Mailchimp through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns.

References

No references.

Sublime Security
Created May 5th, 2025 • Last updated May 5th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  // display name contains Mailchimp
  (
    strings.ilike(strings.replace_confusables(sender.display_name),
                  '*mailchimp*'
    )
    // levenshtein distance similar to Mailchimp
    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                            'mailchimp'
    ) <= 1
    or any(ml.logo_detect(beta.message_screenshot()).brands,
           .name == "Mailchimp" and .confidence == "high"
    )
  )
)
and (
  any(beta.ml_topic(body.current_thread.text).topics,
      .name in (
        "Security and Authentication",
        "Secure Message",
        "Reminders and Notifications"
      )
      and .confidence in ("medium", "high")
  )
  or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
         .name in (
           "Security and Authentication",
           "Secure Message",
           "Reminders and Notifications"
         )
         and .confidence in ("medium", "high")
         and beta.ocr(beta.message_screenshot()).text != ""
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
  or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
)

// and the sender is not in org_domains or from Mailchimp domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    sender.email.domain.root_domain in ("intuit.com", "mailchimp.com")
    and headers.auth_summary.dmarc.pass
  )
)
and not strings.ends_with(headers.message_id, ".mailchimp.com>")
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started