High Severity

Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment

Labels

Credential Phishing

Evasion

Natural Language Understanding

URL analysis

Description

RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound

// RFP/RFQ language
and 1 of (
  regex.icontains(body.current_thread.text, '(discuss.{0,15}purchas(e|ing))'),
  regex.icontains(body.current_thread.text,
                  '(sign(ed?)|view).{0,10}(purchase order)|Request for a Quot(e|ation)'
  ),
  regex.icontains(body.current_thread.text, '(please|kindly).{0,30}quote'),
  regex.icontains(subject.subject,
                  '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
  ),
  any(attachments,
      regex.icontains(.file_name, "(purchase.?order|Quot(e|ation))")
  ),
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
  and any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "urgency"
  ),
  any(ml.nlu_classifier(body.current_thread.text).tags,
      .name == "purchase_order" and .confidence == "high"
  )
)

// HTML smuggling
and any(attachments,
        (
          .file_extension in~ ("html", "htm", "shtml", "dhtml")
          or .file_extension in~ $file_extensions_common_archives
          or .file_type == "html"
        )
        and any(file.explode(.),
                (
                  length(filter(.scan.javascript.identifiers,
                                strings.like(., "document", "write", "atob")
                         )
                  ) == 3
                  // usage: document['write'](atob)
                  or any(.scan.strings.strings,
                         strings.ilike(., "*document*write*atob*")
                  )
                  // usage: some_var = atob();
                  or any(.scan.strings.strings, strings.ilike(., "*=*atob*;"))
                  // usage: obfuscating "atob"
                  or any(.scan.javascript.identifiers,
                         strings.ilike(., '*ato\u0062*')
                  )
                  // usage: document.head.insertAdjacentHTML("beforeend", atob(...
                  or any(.scan.strings.strings,
                         strings.ilike(.,
                                       "*document*write*atob*",
                                       "*document*insertAdjacentHTML*atob*"
                         )
                  )
                )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.