Sublime Core Feed

Login to Sublime

Medium Severity

Link: Scribd Fullscreen Link From Suspicious Sender

Labels

Credential Phishing

Social engineering

Sender analysis

Description

Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history.

References

No references.

Sublime Security

Created May 14th, 2025 • Last updated May 14th, 2025

Feed Source

Sublime Core Feed

Source

type.inbound
and length(body.links) < 10
and any(body.links,
        (
          .href_url.domain.root_domain == "scribd.com"
          or strings.icontains(.href_url.query_params, 'scribd.com')
          or strings.icontains(.href_url.query_params, 'scribd%2ecom')
          or strings.icontains(.href_url.query_params, 'scribd%252ecom')
        )
        and strings.icontains(.href_url.fragment, 'fullscreen')
)
and not profile.by_sender_email().any_messages_benign

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.