High Severity

Impersonation: Employee using fabricated identity in initial contact

Labels

BEC/Fraud
Impersonation: Employee
Social engineering
Content analysis
Sender analysis

Description

Detects inbound messages that appear to be initial contact attempts where the sender uses a display name that doesn't match their email address, includes basic greetings referencing the subject line, and signs off with their display name. The message is short with no attachments, suggesting a social engineering setup for further communication.

References

No references.

Sublime Security
Created May 28th, 2026 • Last updated May 28th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// not a reply thread — this is initial contact
and length(headers.references) == 0
// short body, no attachments — initial contact social engineering
and length(body.current_thread.text) < 500
and length(attachments) == 0
// contains basic greeting
and any(["Hey", "Hi", "Hello"],
        strings.starts_with(body.current_thread.text,
                            strings.concat(.,
                                           " ",
                                           regex.extract(subject.base,
                                                         '^\P{L}*([\p{L}''-]+)'
                                           )[0].groups[0],
                                           ",\n"
                            )
        )
)
// ends with the senders display name
and strings.ends_with(body.current_thread.text,
                      strings.concat("\n", sender.display_name, ".")
)
// sender display name not in the actual email address local part
and any(regex.iextract(sender.display_name, '\w+'),
        .full_match not in~ (sender.email.local_part)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started