High Severity

Link: Multistage landing - FreshDesk knowledge base abuse

Labels

Credential Phishing

Open redirect

Impersonation: Brand

Social engineering

Content analysis

Natural Language Understanding

URL analysis

URL screenshot

Description

Detects messages containing links to Freshdesk support solution pages that redirect to external domains with credential theft language, excluding legitimate Freshworks domains and organizational domains.

References

No references.

Sublime Security

Created Aug 21st, 2025 • Last updated Aug 21st, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(body.links) < 10
and any(filter(body.links,
               .href_url.domain.root_domain == "freshdesk.com"
               and strings.icontains(.href_url.path, 'support/solutions')
        ),
        // link to unknown domain on the page
        length(filter(ml.link_analysis(.).final_dom.links,
                      .href_url.domain.root_domain not in ("freshworks.com")
                      and .href_url.domain.root_domain not in $org_domains
                      and .href_url.domain.root_domain != sender.email.domain.root_domain
               )
        ) < 3
        // cred theft language on the page
        and any(ml.nlu_classifier(ml.link_analysis(.).final_dom.display_text).intents,
                .name == "cred_theft" and .confidence != "low"
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.