• Sublime Core Feed
High Severity

Service abuse: Cisco secure email service with financial request

Labels

BEC/Fraud
Impersonation: Brand
Social engineering
Evasion
Content analysis
Header analysis
Natural Language Understanding
Sender analysis

Description

Detects messages abusing Cisco's secure email service (res.cisco.com) that contain financial topics or invoice requests, with mismatched reply-to domains and undisclosed recipients.

References

No references.

Sublime Security
Created Oct 1st, 2025 • Last updated Oct 1st, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.domain.domain == 'res.cisco.com'
and any(headers.reply_to, .email.domain.domain != 'res.cisco.com')
and (
  length(recipients.to) == 0
  or all(recipients.to, .display_name == "Undisclosed recipients")
)
and (
  any(ml.nlu_classifier(body.current_thread.text).topics,
      .name in ("Financial Communications", "Request to View Invoice")
  )
  or any(ml.nlu_classifier(subject.base).entities, .name == "financial")
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started