Medium Severity

Credential phishing: Image as content, short or no body contents

Labels

Credential Phishing

Evasion

Natural Language Understanding

Optical Character Recognition

Description

This rule identifies incoming messages with minimal links, all image attachments and either empty, brief or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition to high-confidence credit theft intentions.

References

No references.

Sublime Security

Created Sep 8th, 2023 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(body.links) < 2
and 0 < (length(attachments)) < 3
and (
  // body text is very short
  (
    0 <= (length(body.current_thread.text)) < 10
    or body.current_thread.text is null
  )
  or (
    length(body.current_thread.text) < 900
    // or body is most likely all warning banner (text contains the sender and common warning banner language)
    and (
      (
        strings.contains(body.current_thread.text, sender.email.email)
        and strings.contains(body.current_thread.text, 'caution')
      )
      or regex.icontains(body.current_thread.text,
                         "intended recipient's use only|external email|sent from outside|you don't often"
      )
    )
  )
)
and (
  all(attachments,
      (.file_type in $file_types_images)
      and (
        any(file.explode(.),
            any(.scan.exiftool.fields, .value == "Truncated PNG image")
            or (
              any(ml.logo_detect(..).brands, .name is not null)
              and any(ml.nlu_classifier(.scan.ocr.raw).intents,
                      .name == "cred_theft" and .confidence == "high"
              )
            )
        )
      )
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.