Description

Detects inbound messages sent through Oracle Cloud's workflow mail service (workflow.mail.us2.cloud.oracle.com) that contain callback scam content within styled HTML table cells. Natural language understanding is used to identify callback scam intent with medium or high confidence within the message body, indicating misuse of legitimate Oracle infrastructure to deliver fraudulent content.

References

No references.

Sublime Security
Created Jul 10th, 2026 • Last updated Jul 10th, 2026
Source
type.inbound
and sender.email.domain.domain == "workflow.mail.us2.cloud.oracle.com"
and any(html.xpath(body.html,
                   "//td[contains(@style, 'padding: 20px 40px')]//font[@style='']"
        ).nodes,
        any(ml.nlu_classifier(.inner_text).intents,
            .name == "callback_scam" and .confidence != "low"
        )
)   
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started