High Severity

Link: Mamba 2FA phishing kit

Labels

Description

Detects links containing base64-encoded parameters characteristic of the Mamba 2FA phishing kit, specifically looking for 'sv=o365' and '&uid=USER' patterns in redirect history.

References

No references.

Sublime Security

Created Nov 19th, 2025 • Last updated Dec 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(body.links) < 10
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == 'cred_theft' and .confidence == 'high'
  )
  or (
    length(recipients.to) == 1
    and any(recipients.to,
            strings.icontains(body.current_thread.text, .email.email)
    )
    and regex.icontains(body.current_thread.text,
                        '(invoice|document|docusign|past due|confirm receipt)'
    )
  )
  or (
    sender.email.domain.domain == 'icloud.com'
    and any(attachments, .file_name == 'invite.ics')
  )
)
and any(body.links,
        any(ml.link_analysis(., mode="aggressive").redirect_history,
            (
              // sv=o365 to base64
              strings.contains(.url, 'c3Y9bzM2NV')
              // &uid=USER base64 offsets
              and (
                strings.contains(.url, 'JnVpZD1VU0VS')
                or strings.contains(.url, 'Z1aWQ9VVNFU')
                or strings.contains(.url, 'mdWlkPVVTRV')
              )
            )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.