• Sublime Core Feed
Medium Severity

Link: Personal SharePoint with invalid recipients and credential theft language

Labels

Credential Phishing
Social engineering
Content analysis
Header analysis
Natural Language Understanding
URL analysis

Description

Detects messages with undisclosed or invalid recipients containing a single link to a personal SharePoint domain (with '-my' pattern) and high-confidence credential theft language in short message body.

References

No references.

Sublime Security
Created Jan 23rd, 2026 • Last updated Jan 23rd, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// undisclosed recipients or no recipients
and (
  length(recipients.to) == 0
  or (
    all(recipients.to, .email.domain.valid == false)
    and all(recipients.cc, .email.domain.valid == false)
  )
)
// no previous threads
and length(body.previous_threads) == 0
// personal SharePoint domain pattern (firstname-my.sharepoint.com or similar)
and any(body.links,
        .href_url.domain.root_domain == "sharepoint.com"
        and strings.icontains(.href_url.domain.subdomain, "-my")
)
// high confidence credential theft intent from ML
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence in ("medium", "high")
)
// and message is relatively short and contains a single link
and (
  length(body.current_thread.text) < 1500
  and length(body.current_thread.links) == 1
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started