• Sublime Core Feed
High Severity

Credential phishing content and link (untrusted sender)

Labels

Credential Phishing
Social engineering
Computer Vision
Sender analysis
URL analysis
URL screenshot

Description

Message contains credential theft language and a link to a credential phishing page from an unknown sender. We use Link Analysis in aggressive mode to increase our chances of scanning.

References

No references.

Sublime Security
Created Nov 21st, 2023 • Last updated Jun 16th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "cred_theft" and .confidence in ("medium", "high")
  )
  // embedded in an image attachment
  // note: don't use message_screenshot() for now
  // because it's not limited to current_thread and may FP
  or any(attachments,
         .file_type in $file_types_images
         and any(file.explode(.),
                 any(ml.nlu_classifier(.scan.ocr.raw).intents,
                     .name == "cred_theft" and .confidence in ("medium", "high")
                 )
         )
  )
)
and any(body.links,
        .href_url.domain.root_domain not in ("outlook.com")
        and .href_url.domain.domain != "play.google.com"
        and ml.link_analysis(., mode="aggressive").effective_url.domain.domain != "play.google.com"
        and ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
        and ml.link_analysis(., mode="aggressive").credphish.confidence in (
          "medium",
          "high"
        )
        and not .href_url.domain.root_domain == "c3reservations.com"
)
and (
  (
    profile.by_sender_email().prevalence in ("new", "outlier")
    and not profile.by_sender_email().solicited
  )
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_false_positives
  )
)

// negate docusign 'via' messages
and not (
  any(headers.hops,
      any(.fields,
          .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
      )
  )
  and strings.contains(sender.display_name, "via")
)

// negate docusign originated emails
and not any(headers.hops,
            regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started