Medium Severity

Self-sender with copy/paste instructions and suspicious domains (French/Français)

Labels

Credential Phishing

Evasion

Description

Detects messages where the sender emails themselves with French text containing 'copier' (copy) and 'coller' (paste) instructions, along with suspicious domains like pages.dev or web.app. The subject line contains both the sender's email and display name, which are different values.

References

No references.

Sublime Security

Created Apr 16th, 2026 • Last updated Apr 16th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// self sender
and (
  length(recipients.to) == 1
  and length(recipients.cc) == 0
  and sender.email.email in map(recipients.to, .email.email)
)
and strings.icontains(subject.subject, sender.email.email)
and strings.icontains(subject.subject, sender.display_name)
and sender.email.email != sender.display_name
// copy
and strings.icontains(body.current_thread.text, 'copier')
// paste
and strings.icontains(body.current_thread.text, 'coller')
and (
  strings.contains(body.current_thread.text, '.pages.dev')
  or strings.contains(body.current_thread.text, '.web.app')
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.