• Sublime Core Feed
Medium Severity

Credential phishing: Fake card notification with tracking lure

Labels

Credential Phishing
Social engineering
Content analysis
Natural Language Understanding
URL analysis
Sender analysis

Description

Detects inbound messages using fake credit card delivery or approval themes with credential theft intent. Messages contain card-related language paired with delivery or status indicators, and tracking call-to-action links.

References

No references.

Sublime Security
Created Mar 24th, 2026 • Last updated Mar 24th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  (
    regex.icontains(subject.base, '\bcard\b')
    or regex.icontains(body.current_thread.text, '\bcard\b')
  )
  and strings.ilike(body.current_thread.text,
                    "*could be with you*",
                    "*currently accessible*",
                    "*collect bank details*",
                    "*not a financial institution*"
  )
)
and any(body.links,
        strings.ilike(.display_text,
                      "*track order*",
                      "*track*card*",
                      "*card status*"
        )
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence == "high"
)
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started