Medium Severity

Link: Free file host links from suspicious support sender with credential theft language

Description

Detects inbound messages from senders using the local part 'support' that contain a small number of links pointing exclusively to free file hosting services. The message contains NLU signals indicate credential theft intent related to file sharing or cloud services.

References

No references.

Sublime Security
Created Jun 25th, 2026 • Last updated Jun 25th, 2026
Source
type.inbound
and sender.email.local_part == 'support'
and 1 < length(filter(body.current_thread.links,
                      not regex.icontains(.href_url.url,
                                          '\.(pdf|doc|docx|csv|xls|xlsx|ppt|pptx)'
                      )
               )
) <= 5
and all(body.current_thread.links,
        .href_url.domain.root_domain in $free_file_hosts
        or .href_url.domain.domain in $free_file_hosts
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == 'cred_theft' and .confidence != 'low'
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
        .name == 'File Sharing and Cloud Services' and .confidence != 'low'
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started