Medium Severity

Service abuse: Behance document sharing with suspicious language

Labels

Description

Detects messages containing document sharing language with a single Behance gallery link, potentially indicating abuse of the legitimate Adobe Behance platform for malicious purposes.

References

No references.

Sublime Security

Created Mar 27th, 2026 • Last updated Mar 27th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(body.current_thread.text) < 10000
and strings.ilike(body.current_thread.text,
                  "*proposal*",
                  "*specified link*",
                  "*secure*"
)
and length(filter(body.current_thread.links,
                  .href_url.domain.root_domain == 'behance.net'
                  and strings.icontains(.href_url.path, '/gallery/')
                  and .display_url.domain.root_domain == 'behance.net'
                  and strings.icontains(.display_url.path, '/gallery/')
           )
) == 1
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.