• Sublime Core Feed
Medium Severity

Service Abuse: Nifty.com with impersonation

Labels

Credential Phishing
Spoofing
Sender analysis

Description

Detects emails from nifty.com where the sender's local part matches a recipient's local part or organizational SLD, which has been observed in credential harvesting campaigns

References

No references.

Sublime Security
Created Nov 5th, 2025 • Last updated Dec 19th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.domain.root_domain == "nifty.com"
and (
  sender.email.local_part in map(recipients.to, .email.local_part)
  or sender.email.local_part in $org_slds
)

and ml.nlu_classifier(body.current_thread.text).language != "japanese"

// and no false positives and not solicited
and not profile.by_sender_email().any_messages_benign
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started