Medium Severity

Service abuse: SurveyMonkey with suspicious outbound links

Description

Detects messages sent from SurveyMonkey's user domain that contain links to non-SurveyMonkey domains within nested table elements, excluding survey-related content.

References

No references.

Sublime Security
Created Jul 8th, 2026 • Last updated Jul 8th, 2026
Source
type.inbound
and sender.email.domain.root_domain == "surveymonkeyuser.com"
and any(html.xpath(body.html, '//table//table//a').nodes,
        .links[0].href_url.domain.root_domain != "surveymonkey.com"
        and not strings.icontains(.inner_text, "survey")
        and not (
          .links[0].href_url.domain.root_domain in (
            "mimecast.com",
            "mimecastprotect.com"
          )
          and any(.links[0].href_url.query_params_decoded['domain'],
                  strings.parse_domain(.).domain in $tenant_domains
                  or strings.parse_domain(.).domain in ("surveymonkey.com", )
          )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started