• Sublime Core Feed
High Severity

Credential phishing: Re-Authentication lure

Labels

Credential Phishing
Social engineering
Impersonation: Brand
Natural Language Understanding
Content analysis
URL analysis
Header analysis
Sender analysis

Description

Contains suspicious links and server-related terminology, requesting email account reauthentication with language targeting recipient credentials.

References

No references.

Sublime Security
Created Oct 17th, 2025 • Last updated Oct 17th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.current_thread.text) < 2000
and length(body.links) < 10
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "cred_theft" and .confidence == "high"
  )
  or ml.nlu_classifier(body.current_thread.text).language != "english"
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
        .name == "Security and Authentication" and .confidence == "high"
)

// email server language
and 3 of (
  strings.icontains(body.current_thread.text, "security token"),
  strings.icontains(body.current_thread.text, "still active"),
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
  regex.icontains(body.current_thread.text, 're[- ]?activat(e|ing)'),
  regex.contains(body.current_thread.text, '\bMX\b'),
  strings.icontains(body.current_thread.text, "mail servers"),
  strings.icontains(body.current_thread.text, "email termination"),
  strings.icontains(body.current_thread.text, "locked out"),
  strings.icontains(body.current_thread.text, "email account"),
  strings.icontains(body.current_thread.text, "credential"),
  strings.icontains(subject.base, "disconnection"),
  any(recipients.to,
      .email.domain.valid and strings.icontains(subject.base, .email.email)
  ),
  any(recipients.to,
      .email.domain.valid
      and strings.icontains(body.current_thread.text,
                            strings.concat("dear ", .email.local_part)
      )
  ),
  any(recipients.to,
      .email.domain.valid
      and strings.icontains(body.current_thread.text,
                            strings.concat(.email.domain.root_domain, " server")
      )
  ),
  any(recipients.to,
      .email.domain.valid
      and strings.icontains(body.current_thread.text,
                            strings.concat(.email.domain.root_domain,
                                           "  server"
                            )
      )
  ),
  any(recipients.to,
      .email.domain.valid
      and strings.icontains(body.current_thread.text,
                            strings.concat("attn: ", .email.local_part)
      )
  ),
  any(recipients.to,
      .email.domain.valid
      and strings.icount(body.current_thread.text, .email.email) > 1
  )
)

// suspicious link
and 2 of (
  any(filter(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
      ),
      regex.match(.display_text, '[A-Z ]+')
  ),
  any(filter(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
      ),
      strings.icontains(.display_text, 'update')
  ),
  any(filter(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
      ),
      strings.icontains(.display_text, 'confirm')
  ),
  any(filter(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
      ),
      strings.icontains(.display_text, 'resolve')
  ),
  any(filter(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
      ),
      strings.icontains(.display_text, 'auth')
  ),
  any(filter(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
      ),
      .href_url.domain.root_domain == "ru.com"
  ),
  any(filter(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
      ),
      .href_url.path == "/lt.php"
  ),
  any(filter(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
      ),
      .href_url.domain.tld in $suspicious_tlds
  ),
  any(recipients.to,
      .email.domain.valid
      and any(filter(body.links,
                     .href_url.domain.root_domain != sender.email.domain.root_domain
              ),
              strings.icontains(.href_url.url, ..email.email)
      )
  ),
  any(recipients.to,
      .email.domain.valid
      and any(filter(body.links,
                     .href_url.domain.root_domain != sender.email.domain.root_domain
              ),
              strings.icontains(.display_text, ..email.email)
      )
  ),
  (
    any(filter(body.links,
               .href_url.domain.root_domain != sender.email.domain.root_domain
        ),
        .href_url.domain.domain in $free_file_hosts
    )
    or any(filter(body.links,
                  .href_url.domain.root_domain != sender.email.domain.root_domain
           ),
           .href_url.domain.root_domain in $free_file_hosts
    )
  ),
  (
    any(filter(body.links,
               .href_url.domain.root_domain != sender.email.domain.root_domain
        ),
        .href_url.domain.domain in $free_subdomain_hosts
    )
    or any(filter(body.links,
                  .href_url.domain.root_domain != sender.email.domain.root_domain
           ),
           .href_url.domain.root_domain in $free_subdomain_hosts
    )
  )
)
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started