• Sublime Core Feed
Low Severity

Link: Invoice or receipt from freemail sender with customer service number

Labels

BEC/Fraud
Callback Phishing
Free email provider
Impersonation: Brand
Social engineering
Content analysis
Sender analysis
URL analysis

Description

An email from a freemail sender which instructs the recipient to call a fraudulent customer service number.

References

No references.

@vector_sec
Created Aug 17th, 2023 • Last updated Oct 4th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.domain.root_domain in $free_email_providers
and any(body.links,
        .display_text == "Unsubscribe"
        and (length(.href_url.query_params) == 0 or .href_url.query_params is null)
        and (
          .href_url.path == "/"
          or .href_url.path is null
          or (
            .href_url.domain.root_domain == "google.com"
            and not strings.ilike(.href_url.path, "*/forms/*")
          )
        )
)
and sender.email.email not in $sender_emails
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started