• Sublime Core Feed
High Severity

Free subdomain link with credential theft indicators

Labels

Credential Phishing
Free subdomain host
Content analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
URL analysis
URL screenshot

Description

Message contains a suspicious Recipients pattern, a link that uses a free subdomain provider, and has credential theft language on the linked page.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Dec 12th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(body.links,
        .href_url.domain.root_domain in $free_subdomain_hosts
        and .href_url.domain.subdomain is not null
        and .href_url.domain.subdomain != "www"
)
and (
  (
    (
      length(recipients.to) == 0
      or all(recipients.to, .display_name == "Undisclosed recipients")
    )
    and length(recipients.cc) == 0
    and length(recipients.bcc) == 0
  )
  or (
    length(recipients.to) == 1
    and any(recipients.to, .email.email == sender.email.email)
  )
  or (
    length(recipients.to) == 0
    and length(recipients.cc) == 0
    and length(recipients.bcc) > 0
  )
)
and any(body.links,
        any(file.explode(ml.link_analysis(.).screenshot),
            any(ml.nlu_classifier(.scan.ocr.raw).intents,
                .name == "cred_theft" and .confidence != "low"
            )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started