Medium Severity

Service abuse: PayPal manager account creation with callback scam indicators

Labels

Callback Phishing
Credential Phishing
Impersonation: Brand
Social engineering
Spoofing
Sender analysis
Content analysis
Natural Language Understanding

Description

Detects inbound messages abusing PayPal's noreply address with subjects about PayPal Manager user account creation that contain callback scam intent patterns identified through natural language analysis.

References

No references.

Sublime Security
Created Jun 2nd, 2026 • Last updated Jun 2nd, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.email == "noreply@paypal.com"
and strings.icontains(subject.base,
                      "Creation of your PayPal Manager user account"
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("callback_scam", "cred_theft") and .confidence != "low"
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started