• Sublime Core Feed
Medium Severity

Link: Credential phishing link with undisclosed recipients

Labels

Credential Phishing
Evasion
Computer Vision
Header analysis
URL screenshot

Description

This rule detects messages with "Undisclosed Recipients" that contain a link to a credential phishing page.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Aug 5th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  // No Recipients
  length(recipients.to) == 0
  or all(recipients.to, .display_name == "Undisclosed recipients")
)
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
and any(body.links,
        ml.link_analysis(.).credphish.disposition == "phishing"
        and ml.link_analysis(.).credphish.confidence in ("medium", "high")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started