Sublime Core Feed

Login to Sublime

Medium Severity

Link: Credential Phishing link with Undisclosed Recipients

Labels

Credential Phishing

Computer Vision

Header analysis

Description

This rule detects messages with "Undisclosed Recipients" that contain a link to a credential phishing page.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

type.inbound
and (
  // No Recipients
  length(recipients.to) == 0
  or all(recipients.to, .display_name == "Undisclosed recipients")
)
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
and any(body.links,
        ml.link_analysis(.).credphish.disposition == "phishing"
        and ml.link_analysis(.).credphish.confidence in ("medium", "high")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.