High Severity
Corporate Services Impersonation Phishing
Description
Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.
References
No references.
Sublime Security
Created May 15th, 2024 • Last updated Apr 30th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
// use distinct "urls" (without query params) to determine number of links
and 0 < length(distinct(body.links,
// strip out query params to determine
// the unique number of links
strings.concat(.href_url.scheme,
.href_url.domain.domain,
.href_url.path
)
)
) <= 8
// HR language found in subject
and (
(
length(subject.subject) > 20
and regex.icontains(subject.subject,
'(time.{0,4}sheet)|(employ|update(?:d| to)).{0,30}(benefit|handbook|comp\b|compensation|salary|\bpay(?:roll)?\b|policy|conduct|acknowl|PTO|vacation|assess|eval)',
// shorten the distance to 3 or less words for the word "review"
// special handling of benefits
'\breview\b(?:\w+(?:\s\w+)?|[[:punct:]]+|\s+){0,3}(benefits?(?:$|.?(?:statement|enrollment))|handbook|comp\b|compensation|salary|bonus|\bpay(?:roll)?\b)',
// handle the year in the subject, and expand the distance to 5 or less words
'20\d{2}\b(?:\w+(?:\s\w+)?|[[:punct:]]+|\s+){0,5}(benefits?(?:$|.?(?:statement|enrollment))|handbook|comp\b|compensation|salary|bonus|\bpay(?:roll)?\b)'
)
)
// or HR language found in sender
or (
regex.icontains(sender.display_name,
'(Employ|Time.{0,3}sheet|\bHR\b|Human R|Handbook|\bIT[- ]|Help.{0,3}Desk)|Internal.?Comm'
)
and not regex.icontains(sender.display_name,
"forum|employee voice|briefs|newsletter|screening"
)
and not regex.icontains(sender.display_name,
"HR (new|vue|view|tech admin|global)"
)
and not strings.icontains(sender.display_name,
"get it"
)
)
// or assessment report language found in body
or (
regex.icontains(body.current_thread.text,
'20\d{2}(?:[[:punct:]](?:20)?\d{2})? (?:\w+ )?assessment report'
)
)
// or HR department language found in body via NLU
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("org", "sender") and regex.icontains(.text, '\bhr\b', 'human resources')
)
)
// suspicious display_text
and (
any(body.links,
regex.icontains(.display_text,
'((verify|view|click|download|goto|keep|Vιew|release|access).{0,10}(request|here|report|attachment|current|download|fax|file|document|message|same)s?)'
)
and not strings.ilike(.display_text, "*unsub*")
and not strings.ilike(.href_url.url, "*privacy-policy*")
and not strings.ilike(.display_text, "*REGISTER*")
// from a low reputation link
and (
not .href_url.domain.root_domain in $org_domains
and (
.href_url.domain.root_domain not in $tranco_1m
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $url_shorteners
)
or
// or mass mailer link, masks the actual URL
.href_url.domain.root_domain in (
"hubspotlinks.com",
"mandrillapp.com",
"sendgrid.net",
"rs6.net",
"mailanyone.net",
)
)
)
// or credential theft confidence high
or (
length(body.links) > 0
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
and not sender.email.domain.root_domain in (
"servicenowservices.com",
"workplaceextras.com",
"tempo.io",
"or.us"
)
)
or any(filter(attachments, .content_type == "message/rfc822"),
any(file.parse_eml(.).attachments,
any(file.explode(.),
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
)
)
)
// negate messages where "click here" was found and was a link actually an unsub link
// this method allows for matching on other 'click here' links if they are present
and not (
length(filter(body.links, strings.icontains(.display_text, 'click here'))) > 0
and (
length(filter(body.links, strings.icontains(.display_text, 'click here'))) == strings.icount(body.current_thread.text,
'click here to unsubscribe'
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
or sender.email.domain.root_domain in $org_domains
)
and not headers.auth_summary.dmarc.pass
)
or (
sender.email.domain.root_domain not in $high_trust_sender_root_domains
and sender.email.domain.root_domain not in $org_domains
)
)
// not from sharepointonline actual
and not (
sender.email.domain.root_domain == "sharepointonline.com"
and strings.ends_with(headers.message_id, '@odspnotify>')
and strings.starts_with(headers.message_id, "<Spo")
)
// netate common FP topics
and not any(beta.ml_topic(body.current_thread.text).topics, .name in ("Events and Webinars", "Advertising and Promotions", "Newsletters and Digests") and .confidence == "high")
// negate common helpdesk platforms
and not any(headers.domains, .root_domain in ("freshemail.io", "zendesk.com"))
// negate observed HR newsletters
and not (
any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
"constantcontact.com"
)
)
and strings.starts_with(sender.email.local_part, 'newsletters-hr')
and sender.email.domain.root_domain == "ccsend.com"
)
and (
not profile.by_sender_email().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.