• Sublime Core Feed
High Severity

Credential phishing link (unknown sender)

Labels

Credential Phishing
Social engineering
Computer Vision
Sender analysis
URL analysis
URL screenshot

Description

Message contains a link to a credential phishing page from an unknown sender.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and 0 < length(body.links) < 10
and any(body.links,
        ml.link_analysis(.).credphish.disposition == "phishing"
        and (
          ml.link_analysis(.).credphish.confidence in ("medium", "high")
          or ml.link_analysis(.).credphish.contains_captcha
        )
        and length(ml.link_analysis(.).final_dom.links) < 50
        // negate legitimate use of Google reCAPTCHA embedded badge
        and not (
          (
            ml.link_analysis(.).credphish.brand.name == "Captcha"
            or ml.link_analysis(.).credphish.contains_captcha
          )
          and length(html.xpath(ml.link_analysis(.).final_dom,
                                "//div[@class='grecaptcha-badge' and @data-style='bottomright']"
                     ).nodes
          ) == 1
        )
)
and (
  (
    not profile.by_sender().solicited
    and profile.by_sender().prevalence != "common"
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
// negate legit replies threads
and not (
  (
    strings.istarts_with(subject.subject, "RE:")
    // out of office auto-reply
    or strings.istarts_with(subject.subject, "Automatic reply:")
  )
  and (
    length(headers.references) > 0
    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
                     "*postmaster*",
                     "*mailer-daemon*",
                     "*administrator*"
)
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and not profile.by_sender().any_messages_benign
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started