Medium Severity

Credential phishing: 'Secure message' and engaging language

Labels

Credential Phishing

Social engineering

Natural Language Understanding

Sender analysis

Description

Body contains language resembling credential theft, and a "secure message" from an untrusted sender.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence == "high"
)

// ----- other suspicious signals here -----
and (
  strings.icontains(body.html.display_text, "secure message")
  or strings.icontains(body.html.display_text, "document portal")
  or strings.icontains(body.html.display_text, "encrypted message")
)

// todo: automated display name / human local part
// todo: suspicious link (unfurl click trackers)

// ----------

// has at least 1 link
and length(body.links) > 0

// negate legitimate message senders
and (
  sender.email.domain.root_domain not in ("protectedtrust.com")
  and any(body.links,
          .href_url.domain.root_domain != sender.email.domain.root_domain
  )
  // Negate known secure mailer(s)
  and not all(body.links,
              .href_url.domain.root_domain in ("mimecast.com", "cisco.com", "csiesafe.com")
  )
  and any(headers.hops,
          .index == 0
          and not any(.fields,
                      strings.contains(.value,
                                       'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
                      )
          )
  )
  and not (
    length(filter(attachments,
                  strings.ilike(.file_name,
                                "logo.*",
                                "lock.gif",
                                "SecureMessageAtt.html"
                  )
           )
    ) == 3
    and any(attachments,
            .file_type == "html"
            and any(file.explode(.),
                    .scan.html.title == "Proofpoint Encryption"
                    and any(.scan.url.urls, strings.iends_with(.path, 'formpostdir/safeformpost.aspx'))
            )
            and strings.count(file.parse_html(.).raw, 'name="msg') > 3
    )
  )
  and not (
    any(headers.hops, any(.fields, .name == 'X-ZixNet'))
    and any(headers.domains,
            .root_domain in ("zixport.com", "zixcorp.com", "zixmail.net", "zixworks.com")
    )
  )
  and not (
    any(headers.hops, any(.fields, .name == 'X-SendInc-Message-Id'))
    and any(headers.domains,
            .root_domain in ("sendinc.net")
    )
  )
  // negating Mimecast sends with MS banner and/or sender's email pulled out as a link
  and not length(filter(body.links,
                    (
                      .display_text is null
                      and .display_url.url == sender.email.domain.root_domain
                    )
                    or .href_url.domain.root_domain in ("aka.ms", "mimecast.com", "cisco.com")
             )
  ) == length(body.links)
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.