Medium Severity

Impersonation: Salesforce fake campaign failure notification

Labels

Credential Phishing

Impersonation: Brand

Social engineering

Content analysis

Natural Language Understanding

Sender analysis

URL analysis

Description

Detects messages impersonating Salesforce with urgent language about failed or cancelled campaigns, containing external links from first-time senders outside legitimate Salesforce domains.

References

No references.

Sublime Security

Created Sep 8th, 2025 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and strings.icontains(sender.display_name, "salesforce")
and sender.email.domain.root_domain not in (
  "salesforce.com",
  "force.com",
  "site.com",
  "agentforce.com"
)
and length(attachments) == 0
// theare are external links (not org or SF domains)
and length(filter(body.links,
                  .href_url.domain.domain not in $org_domains
                  and .href_url.domain.root_domain not in (
                    "salesforce.com",
                    "force.com",
                    "site.com" // salesforce CRM 
                  )
           )
) > 0
and length(body.current_thread.text) <= 600
and strings.contains(body.current_thread.text, 'campaign')
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "urgency" and regex.icontains(.text, "(failed|cancelled)")
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "request"
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.