Medium Severity

Impersonation: Recipient organization in sender display name with credential theft image

Labels

Credential Phishing

Image as content

Natural Language Understanding

Optical Character Recognition

Sender analysis

Description

Sender display name contains the recipient's organization domain while the actual email address differs. Message includes a single image attachment with OCR-detected credential theft language referencing the recipient's domain, and has no body text.

References

No references.

Sublime Security

Created Feb 17th, 2026 • Last updated Feb 17th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(body.links) <= 1
and length(attachments) == 1
and strings.icontains(sender.display_name, recipients.to[0].email.domain.sld)
and length(recipients.to) == 1
and recipients.to[0].email.domain.root_domain in $org_domains
and 
// No body text
(
  length(body.current_thread.text) == 0 or body.current_thread.text is null
)
and all(attachments,
        .file_type in $file_types_images
        //
        // This rule makes use of a beta feature and is subject to change without notice
        // using the beta feature in custom rules is not suggested until it has been formally released
        //
        and strings.icontains(beta.ocr(.).text,
                              recipients.to[0].email.domain.sld
        )
        and any(ml.nlu_classifier(beta.ocr(.).text).intents,
                .name == "cred_theft" and .confidence == "high"
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.