• Sublime Core Feed
Medium Severity

Credential phishing: Engaging language and other indicators (untrusted sender)

Labels

Credential Phishing
Free email provider
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
URL analysis

Description

Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Jun 18th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  regex.icontains(subject.subject,
                  "termination.*notice",
                  "38417",
                  ":completed",
                  "[il1]{2}mit.*ma[il1]{2} ?bo?x",
                  "[il][il][il]egai[ -]",
                  "[li][li][li]ega[li] attempt",
                  "[ng]-?[io]n .*block",
                  "[ng]-?[io]n .*cancel",
                  "[ng]-?[io]n .*deactiv",
                  "[ng]-?[io]n .*disabl",
                  "action.*required",
                  "abandon.*package",
                  "about.your.account",
                  "acc(ou)?n?t (is )?on ho[li]d",
                  "acc(ou)?n?t.*terminat",
                  "acc(oun)?t.*[il1]{2}mitation",
                  "access.*limitation",
                  "account (will be )?block",
                  "account.*de-?activat",
                  "account.*locked",
                  "account.*re-verification",
                  "account.*security",
                  "account.*suspension",
                  "account.has.expired",
                  "account.will.be.blocked",
                  "account v[il]o[li]at",
                  "activity.*acc(oun)?t",
                  "almost.full",
                  "app[li]e.[il]d",
                  "authenticate.*account",
                  "been.*suspend",
                  "crediential.*notif",
                  "clos.*of.*account.*processed",
                  "confirm.your.account",
                  "courier.*able",
                  "crediential.*notif",
                  "deactivation.*in.*progress",
                  "delivery.*attempt.*failed",
                  "disconnection.*notice",
                  "document.received",
                  "documented.*shared.*with.*you",
                  "dropbox.*document",
                  "e-?ma[il1]+ .{010}suspen",
                  "e-?ma[il1]{1} user",
                  "e-?ma[il1]{2} acc",
                  "e-?ma[il1]{2} preview",
                  "e-?ma[il1]{2}.*up.?grade",
                  "e.?ma[il1]{2}.*server",
                  "e.?ma[il1]{2}.*suspend",
                  "email.update",
                  "faxed you",
                  "fraud(ulent)?.*charge",
                  "from.helpdesk",
                  "fu[il1]{2}.*ma[il1]+[ -]?box",
                  "has.been.*suspended",
                  "has.been.limited",
                  "have.locked",
                  "he[li]p ?desk upgrade",
                  "heipdesk",
                  "i[il]iega[il]",
                  "ii[il]ega[il]",
                  "incoming e?mail",
                  "incoming.*fax",
                  "lock.*security",
                  "ma[il1]{1}[ -]?box.*quo",
                  "ma[il1]{2}[ -]?box.*fu[il1]",
                  "ma[il1]{2}box.*[il1]{2}mit",
                  "ma[il1]{2}box stor",
                  "mail on.?hold",
                  "mail.*box.*migration",
                  "mail.*de-?activat",
                  "mail.update.required",
                  "mails.*pending",
                  "messages.*pending",
                  "missed.*shipping.*notification",
                  "missed.shipment.notification",
                  "must.update.your.account",
                  "new [sl][io]g?[nig][ -]?in from",
                  "new voice ?-?mail",
                  "notifications.*pending",
                  "office.*3.*6.*5.*suspend",
                  "office365",
                  "on google docs with you",
                  "online doc",
                  "password.*compromised",
                  "(?:payroll|salary|bonus).*Distribution",
                  "periodic maintenance",
                  "potential(ly)? unauthorized",
                  "refund not approved",
                  "report",
                  "revised.*policy",
                  "scam",
                  "scanned.?invoice",
                  "secured?.update",
                  "security breach",
                  "securlty",
                  "signed.*delivery",
                  "status of your .{314}? ?delivery",
                  "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
                  "suspicious.*sign.*[io]n",
                  "suspicious.activit",
                  "temporar(il)?y deactivate",
                  "temporar[il1]{2}y disab[li]ed",
                  "temporarily.*lock",
                  "un-?usua[li].activity",
                  "unable.*deliver",
                  "unauthorized.*activit",
                  "unauthorized.device",
                  "undelivered message",
                  "unread.*doc",
                  "unusual.activity",
                  "(?:unrecognized|Unusual|suspicious|unknown) (?:log|sign).?[io]n attempt",
                  "upgrade.*account",
                  "upgrade.notice",
                  "urgent message",
                  "urgent.verification",
                  "v[il1]o[li1]at[il1]on security",
                  "va[il1]{1}date.*ma[il1]{2}[ -]?box",
                  "verification ?-?require",
                  "verification( )?-?need",
                  "verify.your?.account",
                  "web ?-?ma[il1]{2}",
                  "web[ -]?ma[il1]{2}",
                  "will.be.suspended",
                  "your (customer )?account .as",
                  "your.office.365",
                  "your.online.access",
                  "de.activation",
                  // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
                  "account has been limited",
                  "action required",
                  "almost full",
                  "apd notifi cation",
                  "are you at your desk",
                  "are you available",
                  "attached file to docusign",
                  "banking is temporarily unavailable",
                  "bankofamerica",
                  "closing statement invoice",
                  "completed: docusign",
                  "de-activation of",
                  "delivery attempt",
                  "delivery stopped for shipment",
                  "detected suspicious",
                  "detected suspicious actvity",
                  "docu sign",
                  "document for you",
                  "document has been sent to you via docusign",
                  "document is ready for signature",
                  "docusign",
                  "encrypted message",
                  "failed delivery",
                  "fedex tracking",
                  "file was shared",
                  "freefax",
                  "fwd: due invoice paid",
                  "has shared",
                  "inbox is full",
                  "invitation to comment",
                  "invitation to edit",
                  "invoice due",
                  "left you a message",
                  "message from",
                  "new message",
                  "new voicemail",
                  "on desk",
                  "out of space",
                  "password reset",
                  "payment status",
                  "pay notification",
                  "quick reply",
                  "re: w-2",
                  "required",
                  "required: completed docusign",
                  "remittance",
                  "ringcentral",
                  "scanned image",
                  "secured files",
                  "secured pdf",
                  "security alert",
                  "new sign-in",
                  "new sign in",
                  "sign-in attempt",
                  "sign in attempt",
                  "staff review",
                  "suspicious activity",
                  "unrecognized login attempt",
                  "unusual signin",
                  "upgrade immediately",
                  "urgent",
                  "wants to share",
                  "w2",
                  "you have notifications pending",
                  "your account",
                  "your amazon order",
                  "your document settlement",
                  "your order with amazon",
                  "your password has been compromised",
  )
  or (
    regex.icontains(subject.subject, 'account.has.been')
    and not regex.icontains(subject.subject, 'account.has.been.*created')
  )
  or (
    regex.icontains(sender.display_name,
                    "Admin",
                    "Administrator",
                    "Alert",
                    "Assistant",
                    "Authenticat(or|ion)",
                    "Billing",
                    "Benefits",
                    "Bonus",
                    "CEO",
                    "CFO",
                    "CIO",
                    "CTO",
                    "Chairman",
                    "Claim",
                    "Confirm",
                    "Cpanel Mail",
                    "Critical",
                    "Customer Service",
                    "Deal",
                    "Discount",
                    "Director",
                    "Exclusive",
                    "Executive",
                    "Fax",
                    "Free",
                    "Gift",
                    '\bHR\b',
                    "Helpdesk",
                    "Human Resources",
                    "Immediate",
                    "Important",
                    "Info",
                    "Information",
                    "Invoice",
                    '\bIT\b',
                    '\bLegal\b',
                    "Lottery",
                    "Management",
                    "Manager",
                    "Member Services",
                    "Notification",
                    "Offer",
                    "Official Communication",
                    "Operations",
                    "Order",
                    "Partner",
                    "Payment",
                    "Payroll",
                    "Postmaster",
                    "President",
                    "Premium",
                    "Prize",
                    "Receipt",
                    "Refund",
                    "Registrar",
                    "Required",
                    "Reward",
                    "Sales",
                    "Secretary",
                    "Security",
                    "Server",
                    "Service",
                    "Storage",
                    "Support",
                    "Sweepstakes",
                    "System",
                    "Tax",
                    "Tech Support",
                    "Update",
                    "Upgrade",
                    "Urgent",
                    "Validate",
                    "Verify",
                    "VIP",
                    "Webmaster",
                    "Winner",
    )
    // add negation for common FPs in the sender display_name
    and not strings.icontains(sender.display_name, "service bulletin")
    and not strings.icontains(sender.display_name, "automotive service")
  )
)
and (
  4 of (
    any(recipients.to,
        .email.domain.valid
        and (
          strings.icontains(body.current_thread.text, .email.email)
          or strings.icontains(body.current_thread.text, .email.local_part)
        )
    ),
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence in ("medium", "high")
    ),
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "request"
    ),
    // recipient email address base64 encoded in link
    any(body.links,
        any(recipients.to,
            any(beta.scan_base64(..href_url.url,
                                 ignore_padding=true,
                                 format="url"
                ),
                strings.icontains(., ..email.email)
            )
        )
    ),
    (
      // freemail providers should never be sending this type of email
      sender.email.domain.domain in $free_email_providers

      // if not freemail, it's suspicious if the sender's root domain
      // doesn't match any links in the body
      or all(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
             and (
               .href_url.domain.root_domain not in $org_domains
               // ignore recipient email addresses in the body in relation to this check
               or (
                 .href_url.domain.root_domain in $org_domains
                 and any(recipients.to,
                         strings.icount(body.current_thread.text, .email.email) == strings.icount(body.current_thread.text,
                                                                                                  .email.domain.domain
                         )
                 )
               )
             )
      )

      // bulk mailers should also never be sending this type of email
      or all(filter(body.links,
                    .href_url.domain.domain not in (
                      "aka.ms",
                      "mimecast.com",
                      "mimecastprotect.com",
                      "cisco.com"
                    )
             ),
             .href_url.domain.root_domain in $bulk_mailer_url_root_domains
      )
    ),
    // in case it's embedded in an image attachment
    // note: don't use message_screenshot() because it's not limited to current_thread
    // and may FP
    any(attachments,
        .file_type in $file_types_images
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).intents,
                    .name == "cred_theft" and .confidence == "high"
                )
        )
    ),
    strings.contains(body.current_thread.text,
                     "Your mailbox can no longer send or receive messages."
    ),
    any(body.links,
        strings.icontains(.href_url.query_params, 'redirect')
        or any(.href_url.rewrite.encoders,
               strings.icontains(., "open_redirect")
        )
    ),
    // multiple entities displaying urgency 
    length(filter(ml.nlu_classifier(body.current_thread.text).entities,
                  .name == "urgency"
           )
    ) >= 2
    // and any body links
    and any(body.links,
            // display text contains a request
            any(ml.nlu_classifier(.display_text).entities, .name == "request")
    ),
    any(body.links,
        // display text contains a request
        (
          any(ml.nlu_classifier(.display_text).entities, .name == "request")
          or regex.match(.display_text, '^[^a-z]+$')
        )
        and (
          .href_url.domain.domain in $url_shorteners
          or .href_url.domain.root_domain in $url_shorteners
          or .href_url.domain.domain in $free_file_hosts
          or (
            .href_url.domain.root_domain in (
              "mimecast.com",
              "mimecastprotect.com"
            )
            and any(.href_url.query_params_decoded['domain'],
                    strings.parse_url(strings.concat("https://", .)).domain.domain in $url_shorteners
                    or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $url_shorteners
                    or strings.parse_url(strings.concat("https://", .)).domain.domain in $free_file_hosts
                    or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $free_subdomain_hosts
            )
          )
        )
    ),
    // common greetings via email.local_part
    any(recipients.to,
        length(.email.local_part) > 2
        and 
        // use count to ensure the email address is not part of a disclaimer
        strings.icount(body.current_thread.text, .email.local_part) > 
        // sum allows us to add more logic as needed
        strings.icount(body.current_thread.text,
                       strings.concat('was sent to ', .email.email)
        ) + strings.icount(body.current_thread.text,
                           strings.concat('intended for ', .email.email)
        )
    )
  )
  or (
    (
      // recipient's email address is in the body
      any(recipients.to,
          // use count to ensure the email address is not part of a disclaimer
          strings.icount(body.current_thread.text, .email.email) > 
          // sum allows us to add more logic as needed
          sum([
                strings.icount(body.current_thread.text,
                               strings.concat('was sent to ', .email.email)
                ),
                strings.icount(body.current_thread.text,
                               strings.concat('intended for ', .email.email)
                )
              ]
          )
      )
      // suspicious display text
      or (
        length(body.links) == 1
        and all(body.links,
                strings.ilike(.display_text, "*click here*", "*password*")
        )
      )
    )
    // link leads to a suspicious TLD or contains an IP address or contains multiple redirects
    and any(body.links,
            (
              ml.link_analysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
              or length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
                                     .domain.root_domain
                                 )
                        )
              ) >= 4
              or (
                any(body.ips,
                    any(body.links, strings.icontains(.href_url.url, ..ip))
                )
              )
            )
    )
  )
)
// exclude Google shared calendar messages
// Subject: "<sender name> has shared a calendar with you"
and headers.return_path.domain.domain != "calendar-server.bounces.google.com"
// negate calendar invites
and not (
  0 < length(attachments) < 3
  and all(attachments, .content_type in ("text/calendar", "application/ics"))
)
// negate replies
and (
  (
    (
      length(headers.references) > 0
      or not any(headers.hops,
                 any(.fields, strings.ilike(.name, "In-Reply-To"))
      )
    )
    and not (
      (
        strings.istarts_with(subject.subject, "RE:")
        or strings.istarts_with(subject.subject, "R:")
        or strings.istarts_with(subject.subject, "ODG:")
        or strings.istarts_with(subject.subject, "答复:")
        or strings.istarts_with(subject.subject, "AW:")
        or strings.istarts_with(subject.subject, "TR:")
        or strings.istarts_with(subject.subject, "FWD:")
        or regex.icontains(subject.subject,
                           '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
        )
      )
    )
  )
  or length(headers.references) == 0
)
// bounce-back and DMARC report negations
and not (
  strings.like(sender.email.local_part,
               "*postmaster*",
               "*mailer-daemon*",
               "*administrator*"
  )
  and (
    any(attachments,
        .content_type in (
          "message/rfc822",
          "message/delivery-status",
          "text/calendar"
        )
    )
    or (
      length(attachments) == 1
      and all(attachments, .content_type in ("application/gzip"))
      and regex.icontains(subject.subject,
                          '(?:(Report\sDomain).*(Submitter).*(Report-ID))'
      )
    )
  )
)
and (
  (
    profile.by_sender().prevalence != "common"
    and not profile.by_sender_email().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started