• Sublime Core Feed
High Severity

Potential prompt injection attack in body HTML

Labels

Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Spam
BEC/Fraud
Evasion
Social engineering
Header analysis
HTML analysis
Content analysis

Description

Detects messages containing references to major AI tools (like Gemini, Copilot, ChatGPT, or Claude) in non-standard HTML elements.

References

No references.

Sublime Security
Created Aug 26th, 2025 • Last updated Sep 29th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(filter(html.xpath(body.html,
                             "//*[local-name() = 'admin']"
                  ).nodes,
                  length(.display_text) > 0
                  and strings.ilike(.display_text,
                                    '*gemini*',
                                    '*copilot*',
                                    '*chatgpt*',
                                    '*claude*'
                  )
           )
) > 0

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started