Medium Severity

Impersonation: Fake product discount promotion

Labels

BEC/Fraud
Social engineering
Free file host
Content analysis
HTML analysis
URL analysis

Description

Detects messages containing fake product discount offers that leads to a googleapis.com domain.

References

No references.

Sublime Security
Created Jun 16th, 2026 • Last updated Jun 16th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and strings.icontains(body.current_thread.text,
                      "hi {email}",
                      "participation is voluntary",
                      "limit one discount",
                      "limited time offer",
                      "code",
                      "survey"
)
and (
  regex.icontains(body.current_thread.text, 'claim \d+% off')
  or regex.icontains(body.current_thread.text, '\d+ question')
)
and any(body.current_thread.links,
        .href_url.domain.root_domain == "googleapis.com"
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in ("Advertising and Promotions")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started