Low Severity

Link: Spam website with evasion indicators

Labels

Description

Detects messages containing links to spam websites that show signs of evasion techniques, including blocklisted IP provider messages or rate limiting responses when analyzed.

References

No references.

Sublime Security

Created Nov 25th, 2025 • Last updated Nov 25th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// single meaningful root domain in links
and length(filter(distinct(body.links, .href_url.domain.root_domain),
                  // filter out unrelated domains
                  .href_url.domain.root_domain != sender.email.domain.root_domain
                  and any(recipients.to,
                          .email.domain.root_domain != ..href_url.domain.root_domain
                  )
                  and .href_url.domain.root_domain not in ("aka.ms")
           )
) == 1
// specific spam website pattern
and any(body.links,
        // did not redirect to any other domain
        ml.link_analysis(.).effective_url.domain.domain == .href_url.domain.domain
        and (
          // LinkAnalysis was "evaded"
          any(ml.link_analysis(.).effective_url.query_params_decoded["q"],
              strings.icontains(., "IP provider is blacklisted!")
          )
          // or we encountered the rate limiting
          or ml.link_analysis(.).final_dom.inner_text == "Too Many Requests!"
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.