High Severity
Credential phishing link (unknown sender)
Description
Message contains a link to a credential phishing page from an unknown sender.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and 0 < length(body.links) < 10
and any(body.links,
ml.link_analysis(.).credphish.disposition == "phishing"
and (
ml.link_analysis(.).credphish.confidence in ("medium", "high")
or ml.link_analysis(.).credphish.contains_captcha
)
and length(ml.link_analysis(.).final_dom.links) < 50
// negate legitimate use of Google reCAPTCHA embedded badge
and not (
(
ml.link_analysis(.).credphish.brand.name == "Captcha"
or ml.link_analysis(.).credphish.contains_captcha
)
and length(html.xpath(ml.link_analysis(.).final_dom,
"//div[@class='grecaptcha-badge' and @data-style='bottomright']"
).nodes
) == 1
)
)
and (
(
not profile.by_sender().solicited
and profile.by_sender().prevalence != "common"
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate legit replies threads
and not (
(
strings.istarts_with(subject.subject, "RE:")
// out of office auto-reply
or strings.istarts_with(subject.subject, "Automatic reply:")
)
and (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.