Description

Detects inbound messages where the sender is using a free email provider and their display name matches an known organizational display name. The sender's local part contains common organizational role keywords (mail, office, staff, executive), and the subject line matches the recipient's first name or display name, suggesting a targeted impersonation of an internal employee or executive.

References

No references.

Sublime Security
Created Jul 10th, 2026 • Last updated Jul 10th, 2026
Source
type.inbound
// suspicious local part
and strings.contains(sender.email.local_part,
                     'mail',
                     'office',
                     'staff',
                     'executive'
)
and (mailbox.first_name == subject.base or mailbox.display_name == subject.base)
and strings.contains(sender.display_name, " ")
and sender.display_name in~ $org_display_names
and sender.email.domain.root_domain in $free_email_providers
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started