• Sublime Core Feed
High Severity

Service abuse: SurveyMonkey survey from newly registered domain

Labels

Credential Phishing
Evasion
Free file host
Social engineering
Content analysis
Header analysis
Sender analysis

Description

This Attack Surface Reduction (ASR) rule matches on SurveyMonkey Surveys with recently registered reply-to domains.

References

No references.

Sublime Security
Created Apr 18th, 2025 • Last updated Jan 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

// Legitimate SurveyMonkey sending infratructure
and sender.email.email == "member@surveymonkeyuser.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
// 
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
// 

// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited

// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started