Low Severity

Link: URL shortener with copy-paste instructions and credential theft language

Labels

Credential Phishing

Evasion

Social engineering

Content analysis

Natural Language Understanding

URL analysis

Description

Detects messages containing only URL shorteners with copy-paste instructions and high-confidence credential theft language, typically used to evade URL analysis by requiring manual URL entry.

References

No references.

Sublime Security

Created Feb 6th, 2026 • Last updated Feb 6th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(body.current_thread.links) > 0
and all(body.current_thread.links,
        .href_url.domain.root_domain in $url_shorteners
)
and (
  strings.icontains(body.current_thread.text, 'copy')
  and (
    strings.icontains(body.current_thread.text, 'pasting')
    or strings.icontains(body.current_thread.text, 'paste')
  )
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == 'cred_theft' and .confidence == 'high'
)
and (
  // self sender
  (
    length(recipients.to) == 1
    and sender.email.email == recipients.to[0].email.email
  )
  // or the sender is all undisclosed or there is no recipients
  or (
    length(recipients.to) == 0
    or all(recipients.to, .email.domain.valid == false)
  )
)
// negate display urls that match the sender root domain
and not any(body.current_thread.links,
            .display_url.domain.root_domain == sender.email.domain.root_domain
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.