• Sublime Core Feed
High Severity

EML attachment with credential theft language (unknown sender)

Labels

Credential Phishing
Evasion
Social engineering
Natural Language Understanding
Sender analysis
Content analysis
Header analysis

Description

Identifies EML attachments that use credential theft language from unknown senders.

References

No references.

Sublime Security
Created Nov 22nd, 2023 • Last updated Oct 3rd, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// we don't look for links because it could be a QR code
and any(attachments,
        (.content_type == "message/rfc822" or .file_extension =~ "eml")
        and (
          // credential theft language in the attached EML
          any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).intents,
              .name == "cred_theft" and .confidence == "high"
          )
          // credential theft language in an attachment in the attached EML
          or any(file.parse_eml(.).attachments,
                 any(ml.nlu_classifier(beta.ocr(.).text).intents,
                     .name == "cred_theft" and .confidence == "high"
                 )
          )
        )
        and not file.parse_eml(.).sender.email.domain.root_domain in $org_domains
        and not strings.like(file.parse_eml(.).sender.email.local_part,
                             "*postmaster*",
                             "*mailer-daemon*",
                             "*administrator*"
        )
        // some systems attach the bounceback this way
        and not any(file.parse_eml(.).attachments,
                    .content_type in (
                      "message/delivery-status",
                      "message/feedback-report"
                    )
        )
        // negate Mimecast Attachment Protection
        and not (
          any(attachments,
              .file_name == 'We sent you safe versions of your files'
          )
          and strings.contains(body.current_thread.text,
                               'Mimecast Attachment Protection has deemed this file to be safe, but always exercise caution when opening files.'
          )
        )
        // negate Microsoft Dynamic Delivery
        and not (
          length(file.parse_eml(.).attachments) == 0
          and strings.icontains(file.parse_eml(.).body.current_thread.text,
                                "Your attachments are currently being scanned by Safe Attachments"
          )
        )
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
                     "*postmaster*",
                     "*mailer-daemon*",
                     "*administrator*"
)
and not regex.icontains(subject.subject, "^(undelivered|undeliverable|read:)")
and not any(attachments,
            .content_type in (
              "message/delivery-status",
              "message/feedback-report"
            )
)
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
  not profile.by_sender_email().solicited
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
  // sender address listed as a recipient 
  or (
    length(recipients.to) == 1
    and sender.email.email in map(recipients.to, .email.email)
  )
)
and not profile.by_sender_email().any_messages_benign
// negate instances where proofpoint sends a review of a reported message via analyzer 
and not (
  sender.email.email == "analyzer@analyzer.securityeducation.com"
  and any(headers.domains, .root_domain == "pphosted.com")
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started