High Severity

Link abuse: Self-service creation platform link with suspicious recipient behavior

Labels

BEC/Fraud

Credential Phishing

Description

Detects messages from new freemail senders containing links to self-service creation platforms with all-caps display text, combined with suspicious recipient patterns such as invalid recipients, self-sending, or unusual CC/BCC configurations.

References

No references.

Sublime Security

Created Dec 2nd, 2025 • Last updated Dec 2nd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// new freemail sender
and profile.by_sender_email().prevalence == "new"
and sender.email.domain.domain in $free_email_providers
// sus rcpt behavior
and (
  // invalid rcpt
  length(filter(recipients.to, .email.domain.valid)) == 0
  // self sender
  or (
    length(recipients.to) == 1
    and sender.email.email == recipients.to[0].email.email
  )
  // BCC is another freemail
  or (
    length(recipients.cc) == 1
    and all(recipients.cc, .email.domain.domain in $free_email_providers)
  )
  // the recipient is another freemail with bcc
  or (
    length(recipients.to) == 1
    and recipients.to[0].email.domain.domain in $free_email_providers
    and length(recipients.bcc) > 0
  )
)
// few body links
and length(body.current_thread.links) < 10
// the self_service_creation_platform contains a link with the display_text in all caps
and any(body.current_thread.links,
        (
          .href_url.domain.root_domain in $self_service_creation_platform_domains
          or .href_url.domain.domain in $self_service_creation_platform_domains
        )
        and regex.match(.display_text, '[A-Z0-9_\-\s]+')
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.