Sublime Core Feed

Login to Sublime

Medium Severity

Business Email Compromise (BEC) attempt from unsolicited sender

Labels

Social engineering

Content analysis

Header analysis

Sender analysis

Description

Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("bec") and .confidence == "high"
)
and 
// mismatched From and Reply-to
(
  (
    length(headers.reply_to) > 0
    and all(headers.reply_to,
            .email.domain.root_domain != sender.email.domain.root_domain
    )
  )
  or not headers.auth_summary.dmarc.pass
  or not headers.auth_summary.spf.pass
)

// negate "via" senders via dmarc authentication or gmail autoforwards
and not (
  strings.ilike(headers.return_path.local_part, "*+caf_=*")
  and strings.contains(sender.display_name, "via")
  and (headers.auth_summary.dmarc.pass)
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.