Medium Severity
Fake shipping notification with suspicious language
Description
Body contains keywords for shipping, contains suspicious language, and addresses the recipient by their email, which is an indicator of phishing and/or spam.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated May 3rd, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
// contains at least 1 link
and length(body.links) > 0
and 3 of (
strings.ilike(body.current_thread.text, "*(1)*"),
strings.ilike(body.current_thread.text, "*waiting for delivery*"),
strings.ilike(body.current_thread.text, "*delivery missed*"),
strings.ilike(body.current_thread.text, "*tracking number*")
)
// urgent/time-sensitive language
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
// email is not personalized with recipients name
and any(recipients.to,
any(ml.nlu_classifier(body.current_thread.text).entities,
.text == ..email.local_part
)
)
Playground
Test against your own EMLs or sample data.