• Sublime Core Feed
Medium Severity

Link: Google Forms link with credential theft language

Labels

Credential Phishing
Social engineering
Natural Language Understanding
Sender analysis
URL analysis

Description

Detects messages containing Google Forms links paired with credential theft language from new senders. This technique abuses Google's trusted domain to host malicious forms designed to steal user credentials.

References

No references.

Sublime Security
Created Mar 2nd, 2026 • Last updated Mar 2nd, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// cred_theft intent
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence != "low"
)
// google form link
and any(body.current_thread.links,
        .href_url.domain.domain == "docs.google.com"
        and strings.istarts_with(.href_url.path, '/form')
)
// new sender
and profile.by_sender_email().prevalence == "new"
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started