• Sublime Core Feed
High Severity

Corporate Services Impersonation Phishing

Labels

Credential Phishing
Impersonation: Employee
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis

Description

Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.

References

No references.

Sublime Security
Created May 15th, 2024 • Last updated Apr 11th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// use distinct "urls" (without query params) to determine number of links
and 0 < length(distinct(body.links,
                        // strip out query params to determine 
                        // the unique number of links
                        strings.concat(.href_url.scheme,
                                       .href_url.domain.domain,
                                       .href_url.path
                        )
               )
) <= 8

// HR language found in subject
and (
  (
    length(subject.subject) > 20
    and regex.icontains(subject.subject,
                        '(time.{0,4}sheet)|(employ|update(?:d| to)).{0,30}(benefit|handbook|comp\b|compensation|salary|\bpay(?:roll)?\b|policy|conduct|acknowl|PTO|vacation|assess|eval)',
                        // shorten the distance to 3 or less words for the word "review"
                        // special handling of benefits
                        '\breview\b(?:\w+(?:\s\w+)?|[[:punct:]]+|\s+){0,3}(benefits?(?:$|.?(?:statement|enrollment))|handbook|comp\b|compensation|salary|bonus|\bpay(?:roll)?\b)',
                        // handle the year in the subject, and expand the distance to 5 or less words
                        '20\d{2}\b(?:\w+(?:\s\w+)?|[[:punct:]]+|\s+){0,5}(benefits?(?:$|.?(?:statement|enrollment))|handbook|comp\b|compensation|salary|bonus|\bpay(?:roll)?\b)'
    )
  )

  // or HR language found in sender
  or (
    regex.icontains(sender.display_name,
                    '(Employ|Time.{0,3}sheet|\bHR\b|Human R|Handbook|\bIT[- ]|Help.{0,3}Desk)|Internal.?Comm'
    )
    and not regex.icontains(sender.display_name,
                            "forum|employee voice|briefs|newsletter|screening"
    )
    and not regex.icontains(sender.display_name,
                            "HR (new|vue|view|tech admin|global)"
    )
  )

  // or assessment report language found in body
  or (
    regex.icontains(body.current_thread.text,
                    '20\d{2}(?:[[:punct:]](?:20)?\d{2})? (?:\w+ )?assessment report'
    )
  )

  // or HR department language found in body via NLU
  or any(ml.nlu_classifier(body.current_thread.text).entities,
         .name in ("org", "sender") and regex.icontains(.text, '\bhr\b', 'human resources')
  )
)

// suspicious display_text
and (
  any(body.links,
      regex.icontains(.display_text,
                      '((verify|view|click|download|goto|keep|Vιew|release|access).{0,10}(request|here|report|attachment|current|download|fax|file|document|message|same)s?)'
      )
      and not strings.ilike(.display_text, "*unsub*")
      and not strings.ilike(.href_url.url, "*privacy-policy*")
      and not strings.ilike(.display_text, "*REGISTER*")

      // from a low reputation link
      and (
        not .href_url.domain.root_domain in $org_domains
        and (
          .href_url.domain.root_domain not in $tranco_1m
          or .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.domain in $url_shorteners
        )
        or 
        // or mass mailer link, masks the actual URL
        .href_url.domain.root_domain in (
          "hubspotlinks.com",
          "mandrillapp.com",
          "sendgrid.net",
          "rs6.net",
          "mailanyone.net",
        )
      )
  )
  // or credential theft confidence high
  or (
    length(body.links) > 0
    and any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "cred_theft" and .confidence == "high"
    )
    and not sender.email.domain.root_domain in (
      "servicenowservices.com",
      "workplaceextras.com",
      "tempo.io",
      "or.us"
    )
  )
  or any(filter(attachments, .content_type == "message/rfc822"),
         any(file.parse_eml(.).attachments,
             any(file.explode(.),
                 regex.icontains(.scan.ocr.raw, 'scan|camera')
                 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
             )
         )
  )
)
// negate messages where "click here" was found and was a link actually an unsub link
// this method allows for matching on other 'click here' links if they are present
and not (
  length(filter(body.links, strings.icontains(.display_text, 'click here'))) > 0
  and (
    length(filter(body.links, strings.icontains(.display_text, 'click here'))) == strings.icount(body.current_thread.text,
                                                                                                 'click here to unsubscribe'
    )
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      or sender.email.domain.root_domain in $org_domains
    )
    and not headers.auth_summary.dmarc.pass
  )
  or (
    sender.email.domain.root_domain not in $high_trust_sender_root_domains
    and sender.email.domain.root_domain not in $org_domains
  )
)
// not from sharepointonline actual
and not (
  sender.email.domain.root_domain == "sharepointonline.com"
  and strings.ends_with(headers.message_id, '@odspnotify>')
  and strings.starts_with(headers.message_id, "<Spo")
)
// netate common FP topics
and not any(beta.ml_topic(body.current_thread.text).topics, .name in ("Events and Webinars", "Advertising and Promotions", "Newsletters and Digests") and .confidence == "high")
// negate common helpdesk platforms
and not any(headers.domains, .root_domain in ("freshemail.io", "zendesk.com"))
// negate observed HR newsletters
and not (
  any(headers.hops,
      strings.icontains(.authentication_results.spf_details.designator,
                        "constantcontact.com"
      )
  )
  and strings.starts_with(sender.email.local_part, 'newsletters-hr')
  and sender.email.domain.root_domain == "ccsend.com"
)
and (
  not profile.by_sender_email().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
and not profile.by_sender().any_false_positives
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started