Low Severity
Extortion / sextortion (untrusted sender)
Description
Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
Sublime Security
Created Aug 17th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and length(filter(body.links, .display_text is not null)) < 10
and not (
ml.nlu_classifier(body.current_thread.text).language == "english"
and any(beta.ml_topic(body.html.display_text).topics,
.name in (
"News and Current Events",
"Newsletters and Digests",
"Advertising and Promotions"
)
and .confidence == "high"
)
)
and (
(
any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text)).intents,
.name == "extortion" and .confidence == "high"
)
and any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text
)
).entities,
.name == "financial"
)
)
// manual indicators failsafe
or 3 of (
// malware terms
regex.icontains(strings.replace_confusables(body.current_thread.text),
"((spy|mal)ware|t[rŗ]ojan|remote control|infiltrat(ed|ion))"
),
// actions recorded
regex.icontains(strings.replace_confusables(body.current_thread.text),
"po[rŗ]n|adult (web)?site|webcam|mastu[rŗ]bating|je[rŗ]king off|pleasu[rŗ]ing you[rŗ]self|getting off"
),
regex.icontains(strings.replace_confusables(body.current_thread.text),
"pe[rŗ]ve[rŗ]t|pe[rŗ]ve[rŗ]sion|mastu[rŗ]bat"
),
// a timeframe to pay
regex.icontains(strings.replace_confusables(body.current_thread.text),
'[ilo0-9]{2} (?:hou[rŗ]s|uu[rŗ])',
'(?:one|two|th[rŗ]ee|\d) days?'
),
// a promise from the actor
regex.icontains(strings.replace_confusables(body.current_thread.text),
'(?:pe[rŗ]manently|will) delete|([rŗ]emove|destroy) (?:\w+\s*){0,4} (?:data|evidence|videos?)'
),
// a threat from the actor
regex.icontains(strings.replace_confusables(body.current_thread.text),
'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*.{0,10}(contacts|media|family|friends)'
),
// bitcoin language (excluding newsletters)
(
regex.icontains(strings.replace_confusables(body.current_thread.text),
'bitc[oöة]+in|\bbtc\b|blockchain'
)
// negate cryptocurrency newsletters
and not (
any(body.links,
strings.icontains(.display_text, "unsubscribe")
and (
strings.icontains(.href_url.path, "unsubscribe")
// handle mimecast URL rewrites
or (
.href_url.domain.root_domain == 'mimecastprotect.com'
and strings.icontains(.href_url.query_params,
sender.email.domain.root_domain
)
)
)
)
)
),
(
regex.icontains(strings.replace_confusables(body.current_thread.text),
'(?:contact the police|(?:bitcoin|\bbtc\b).{0,20}wallet)'
)
and regex.icontains(strings.replace_confusables(body.current_thread.text),
'(\b[13][a-km-zA-HJ-NP-Z0-9]{24,34}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
)
),
regex.icontains(strings.replace_confusables(body.current_thread.text),
'bc1q.{0,50}\b'
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
// many extortion emails spoof sender domains and fail sender authentication
or (
not headers.auth_summary.dmarc.pass
or headers.auth_summary.dmarc.pass is null
or not headers.auth_summary.spf.pass
)
)
// negate benign newsletters that mention cyber extortion
and not (
any(body.links,
strings.icontains(.display_text, "unsubscribe")
and strings.icontains(.href_url.path, "unsubscribe")
// newsletters are typically longer than the average extortion script
and length(body.current_thread.text) > 2000
)
)
and length(body.current_thread.text) < 6000
Playground
Test against your own EMLs or sample data.