Medium Severity

Service abuse: FlipHTML5 with attachment deception and credential theft language

Labels

Credential Phishing

Social engineering

Free file host

Evasion

Content analysis

Natural Language Understanding

URL analysis

Description

Detects messages that reference attachments without including any, contain links to FlipHTML5 services, and exhibit high-confidence credential theft language patterns.

References

No references.

Sublime Security

Created Oct 30th, 2025 • Last updated Oct 30th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// messages contain wording to "see attached" but contains no attachments
and (
  regex.icontains(body.current_thread.text,
                  "attached|see.*attached|find.*attached|please{0,10}attached"
  )
  and length(attachments) == 0
)
// and the link goes to fliphtml5 and contains suspect "click me" language
and any(body.links,
        .href_url.domain.root_domain == "fliphtml5.com"
)
// and we have confidence its cred theft
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence != "low"
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.