Medium Severity

Fake shipping notification with suspicious language

Description

Body contains keywords for shipping, contains suspicious language, and addresses the recipient by their email, which is an indicator of phishing and/or spam.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated May 3rd, 2024
Source
type.inbound
// contains at least 1 link
and length(body.links) > 0
and 3 of (
  strings.ilike(body.current_thread.text, "*(1)*"),
  strings.ilike(body.current_thread.text, "*waiting for delivery*"),
  strings.ilike(body.current_thread.text, "*delivery missed*"),
  strings.ilike(body.current_thread.text, "*tracking number*")
)

// urgent/time-sensitive language
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "urgency"
)

// email is not personalized with recipients name
and any(recipients.to,
        any(ml.nlu_classifier(body.current_thread.text).entities,
            .text == ..email.local_part
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.