• Sublime Core Feed
Medium Severity

Headers: System account impersonation with empty sender address

Labels

BEC/Fraud
Credential Phishing
Impersonation: Employee
Social engineering
Spoofing
Header analysis
Sender analysis
Natural Language Understanding

Description

Detects messages with an empty sender email address and a display name impersonating system accounts like mailer-daemon, postmaster, or administrator, but lacking legitimate bounce back content as determined by natural language processing.

References

No references.

Sublime Security
Created Oct 1st, 2025 • Last updated Oct 1st, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.email == ""
and (
  strings.icontains(sender.display_name, "mailer-daemon")
  or strings.icontains(sender.display_name, "postmaster")
)
and not (
  (
    any(ml.nlu_classifier(body.current_thread.text).topics,
        .name == "Bounce Back and Delivery Failure Notifications"
        and .confidence == "high"
    )
    or regex.icontains(subject.subject, 'Undeliver(?:ed|able)')
    or regex.icontains(subject.subject, 'Mensagem não entregue') // portuguese bounce back variant 
    or regex.icontains(subject.subject, '系统退信') // chinese bounce back variant 
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started