Medium Severity
Mass campaign: Cross Site Scripting (XSS) attempt
Description
Message subject or body contains Cross Site Scripting (XSS) indicators, and was sent to multiple unknown senders. Known spam technique.
References
No references.
Sublime Security
Created Mar 27th, 2024 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
length(recipients.to) > 10
and length(filter(recipients.to,
.email.domain.domain not in $org_domains
and .email.email not in $recipient_emails
and (
.email.domain.valid
or strings.icontains(.display_name, "undisclosed")
)
)
) >= 10
)
and (
strings.ilike(subject.subject,
'*<*script*>*',
'*xss.report*',
'*eval(atob*',
'*<*onload*>*',
'*<*onerror*>*'
)
or strings.ilike(body.current_thread.text,
'*<*script*>*',
'*xss.report*',
'*eval(atob*',
'*<*onload*>*',
'*<*onerror*>*'
)
)
and (
length(body.links) == 0
or (
length(body.links) == 1
and all(body.links, .href_url.domain.domain == "this.id")
)
)
and profile.by_sender().prevalence != "common"
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.