Medium Severity

Credential phishing: Financial lure via ActiveCampaign infrastructure

Labels

Credential Phishing

Social engineering

Content analysis

Header analysis

Natural Language Understanding

Sender analysis

Description

Detects inbound phishing messages sent via ActiveCampaign using identifiable infrastructure fingerprints and hidden boilerplate text. Covers a wide range of lure themes including credit cards, loans, deposits, account updates, and vague document or verification prompts. Requires NLU Financial Communications topic classification.

References

No references.

Sublime Security

Created Mar 27th, 2026 • Last updated Mar 27th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and strings.contains(headers.mailer, "ActiveCampaign")
and (
  strings.ilike(body.current_thread.text,
                "*Piratini*",
                "*45.405.898/0001-16*",
                "*Cancelar inscri*",
                "*Matem?tica Genial*"
  )
  or strings.ilike(body.html.raw,
                   "*belonging to Spun*",
                   "*affiliated with Spun*"
  )
)
and (
  length(html.xpath(body.html,
                    '//*[contains(@style, "background") and contains(@style, "padding")] | //a[contains(@class, "es-button")]'
         ).nodes
  ) > 0
  or length(html.xpath(body.html, '//a/img').nodes) > 0
)
and ml.nlu_classifier(body.current_thread.text).language == "english"
and not any(ml.nlu_classifier(body.current_thread.text).topics,
            .name in ("Health and Wellness", "Entertainment and Sports")
            and .confidence == "high"
)
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.