High Severity
Credential phishing content and link (untrusted sender)
Description
Message contains credential theft language and a link to a credential phishing page from an unknown sender. We use Link Analysis in aggressive mode to increase our chances of scanning.
References
No references.
Sublime Security
Created Nov 21st, 2023 • Last updated Jun 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
// embedded in an image attachment
// note: don't use message_screenshot() for now
// because it's not limited to current_thread and may FP
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
)
)
and any(body.links,
.href_url.domain.root_domain not in ("outlook.com")
and .href_url.domain.domain != "play.google.com"
and ml.link_analysis(., mode="aggressive").effective_url.domain.domain != "play.google.com"
and ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
and ml.link_analysis(., mode="aggressive").credphish.confidence in (
"medium",
"high"
)
and not .href_url.domain.root_domain == "c3reservations.com"
)
and (
(
profile.by_sender_email().prevalence in ("new", "outlier")
and not profile.by_sender_email().solicited
)
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_false_positives
)
)
// negate docusign 'via' messages
and not (
any(headers.hops,
any(.fields,
.name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
)
)
and strings.contains(sender.display_name, "via")
)
// negate docusign originated emails
and not any(headers.hops,
regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.