High Severity

Credential phishing content and link (untrusted sender)

Labels

Credential Phishing

Social engineering

Description

Message contains credential theft language and a link to a credential phishing page from an unknown sender. We use Link Analysis in aggressive mode to increase our chances of scanning.

References

No references.

Sublime Security

Created Nov 21st, 2023 • Last updated Dec 17th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "cred_theft" and .confidence in ("medium", "high")
  )
  // embedded in an image attachment
  // note: don't use message_screenshot() for now
  // because it's not limited to current_thread and may FP
  or any(attachments,
         .file_type in $file_types_images
         and any(file.explode(.),
                 any(ml.nlu_classifier(.scan.ocr.raw).intents,
                     .name == "cred_theft" and .confidence in ("medium", "high")
                 )
         )
  )
)
and any(body.links,
        .href_url.domain.root_domain not in ("outlook.com")
        and .href_url.domain.domain != "play.google.com"
        and ml.link_analysis(., mode="aggressive").effective_url.domain.domain != "play.google.com"
        and ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
        and (
          ml.link_analysis(., mode="aggressive").credphish.confidence in (
            "medium",
            "high"
          )
          or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
        )
        and not .href_url.domain.root_domain == "c3reservations.com"
)
and (
  (
    profile.by_sender_email().prevalence in ("new", "outlier")
    and not profile.by_sender_email().solicited
  )
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
  // or there are no recipients
  or length(recipients.to) == 0
  // or the recipients are all invalid 
  or all(recipients.to, .email.domain.valid == false)

  // or the sender exhibits a "self sender" pattern
  or (
    length(recipients.to) == 1
    and recipients.to[0].email.email == sender.email.email
  )
)

// negate docusign 'via' messages
and not (
  any(headers.hops,
      any(.fields,
          .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
      )
  )
  and strings.contains(sender.display_name, "via")
)

// negate docusign originated emails
and not any(headers.hops,
            regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.