• Sublime Core Feed
Medium Severity

Free subdomain link with login or captcha (untrusted sender)

Labels

Credential Phishing
Free subdomain host
Social engineering
Computer Vision
File analysis
Sender analysis
URL screenshot

Description

Message contains a link that uses a free subdomain provider, and has a login or captcha on the page.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and 0 < length(body.links) < 10
and any(body.links,

        // contains login or captcha
        (
          ml.link_analysis(.).credphish.contains_login
          or ml.link_analysis(.).credphish.contains_captcha
        )

        // either the original or the redirect is a free subdomain
        and (
          ml.link_analysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
        )

        // exclude FP prone free subdomain hosts
        // if it's a known brand impersonation, we'll detect it in other rules
        and .href_url.domain.root_domain not in ("zendesk.com")
        and ml.link_analysis(.).effective_url.domain.root_domain not in ("zendesk.com")
        and ml.link_analysis(.).effective_url.domain.domain not in ("login.squarespace.com")
)

// exclude all freesubdomain links are images
and length(filter(body.links, 
               .href_url.domain.root_domain in $free_subdomain_hosts
               and .href_url.domain.subdomain is not null
               and .href_url.domain.subdomain != "www") ) > 0

and not all(filter(body.links, 
               .href_url.domain.root_domain in $free_subdomain_hosts
               and .href_url.domain.subdomain is not null
               and .href_url.domain.subdomain != "www"), (strings.ends_with(.href_url.url, "jpeg") or strings.ends_with(.href_url.url, "png")))

// exclude FP prone senders
and sender.email.domain.root_domain not in ("sharepointonline.com")
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started