Medium Severity

Reconnaissance: Email address harvesting attempt

Labels

BEC/Fraud

Credential Phishing

Description

Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.

References

No references.

Sublime Security

Created Sep 5th, 2025 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(subject.base) <= 15
// detect email addresses in body text
and (
  regex.imatch(body.current_thread.text,
               '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'
  )
)
// external freemail sender
and sender.email.domain.root_domain in $free_email_providers
// no attachments but allow one link  
and length(attachments) == 0
and length(body.current_thread.links) == 1
// negate sender profiles completely if auth is failing
and (
  (
    not (
      headers.auth_summary.dmarc.pass == false
      or headers.auth_summary.spf.pass == false
    )
    and (
      not profile.by_sender().solicited
      or (
        profile.by_sender().any_messages_malicious_or_spam
        and not profile.by_sender().any_false_positives
      )
    )
    and not profile.by_sender().any_false_positives
  )
  or (
    headers.auth_summary.dmarc.pass == false
    or headers.auth_summary.spf.pass == false
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.