Medium Severity

Link: Generic financial document with proceedural timeline template

Description

Detects messages with generic greetings that reference payment releases & timelines, and exhibit unusual recipient patterns such as self-sending or missing recipients.

References

No references.

Sublime Security
Created Jul 10th, 2026 • Last updated Jul 10th, 2026
Source
type.inbound
// link limiter scopes thread hijacking but limits reports
and length(body.links) <= 40

// expectation of time
and regex.icontains(body.current_thread.text,
                    'will be released.{0,15}(?:Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday),\s+(?:January|February|March|April|May|June|July|August|September|October|November|December)\s+\d{1,2},',
                    '\b[1-4]\W[1-4]\b.{1,10}days'
)

// link is malicious
and any(body.links,
        // key phrasing or nlu
        (
          regex.icontains(.display_text,
                          '(?:access|show|view).{0,10}(?:confirmation|message|payment|statement)',
                          'advice',
                          'deposit',
                          'document',
                          'eft',
                          'release',
                          'remit'
          )
          or any(ml.nlu_classifier(body.current_thread.text).topics,
                 .name == "Request to View Invoice" and .confidence == "high"
          )
        )
        // suspicious hosting
        and (
          .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.tld in $suspicious_tlds
          or .href_url.domain.domain in $self_service_creation_platform_domains
          or (
            .href_url.domain.root_domain not in $tranco_1m
            and not .href_url.scheme == "mailto"
          )
          or .href_url.domain.root_domain in $url_shorteners
          // open redirect
          or strings.icontains(.href_url.query_params, '=https', 'url=', 'upn=')
          // bait and switch CTA observed
          or (
            strings.icontains(body.current_thread.text, "[message clipped]")
            and strings.icontains(.display_text, "view entire message")
          )
        )
        // negate org domains
        and .href_url.domain.valid != false
        and .href_url.domain.root_domain not in $org_domains
)

// suspicious sender behavior
and (
  (
    length(recipients.to) == 1
    and length(recipients.cc) == 0
    and sender.email.email == recipients.to[0].email.email
  )
  // the recipient is undisclosed or there are no recipients
  or (
    length(recipients.to) == 0
    or all(recipients.to, .email.domain.valid == false)
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started