Medium Severity

Link: Cloud service with credential theft language

Labels

Credential Phishing
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
URL analysis

Description

Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji, contains links to external domains not matching the sender's domain, and lacks recipient identification entities.

References

No references.

Sublime Security
Created Apr 23rd, 2026 • Last updated Apr 23rd, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  strings.starts_with(body.current_thread.text, 'Cloud')
  // cloud emoji
  or regex.contains(body.current_thread.text, '^\x{2601}')
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == 'cred_theft' and .confidence == 'high'
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
        .name == 'File Sharing and Cloud Services' and .confidence == 'high'
)
// sender domain matches no body domains
and length(body.links) > 0
and all(body.links,
        .href_url.domain.root_domain != sender.email.domain.root_domain
)
// negate legit cloud companies
and not (
  sender.email.domain.root_domain in ("cloud-cme.com", "cloudcounting.online")
  // check for SPF or DMARC passed
  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started