• Sublime Core Feed
High Severity

Service Abuse: ExactTarget with suspicious sender indicators

Labels

Credential Phishing
BEC/Fraud
Evasion
Social engineering
Header analysis
Sender analysis

Description

Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, domains containing UTF-8 encoding characters, or a suspicious sender display name.

References

No references.

Sublime Security
Created Aug 28th, 2025 • Last updated Nov 8th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(headers.domains, .root_domain == 'exacttarget.com')
and (
  (
    length(sender.email.email) >= 50
    and sender.email.domain.root_domain == "salesforce.com"
  )
  or sender.email.domain.root_domain == "awsapps.com"
  or strings.icontains(sender.email.domain.domain, '?utf-8')
  or regex.icontains(sender.display_name,
                     '.*\|.*(Manager|Careers|Recruitment|Specialist|Global)'
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started