Medium Severity

Brand impersonation: Marriott with gift language

Labels

Credential Phishing

Impersonation: Brand

Description

Detects messages impersonating Marriott brand that contain gift-related language such as 'appreciation gift', 'thank you gift', or 'something special' from senders not associated with legitimate Marriott domains.

References

No references.

Sublime Security

Created Feb 2nd, 2026 • Last updated Feb 2nd, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  strings.icontains(subject.base, "marriott")
  or strings.icontains(sender.display_name, "marriott")
  or strings.ilevenshtein(sender.display_name, 'marriott') <= 2
)
and any([body.current_thread.text, subject.base],
        regex.icontains(.,
                        '(?:appreciation|thank)(?:\s|-)?(you)?\s+gift',
                        'something special',
                        'special.{0,10}thank(?:\s|-)you'
        )
)
and not (
  sender.email.domain.root_domain in~ (
    "marriott.com",
    "res-marriott.com",
    "email-marriott.com",
    "feedback-marriott.com",
    "marriotthotels.se",
    "bookonline.com"
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.