High Severity

Service abuse: Suspicious Datadog alert

Labels

Credential Phishing
Malware/Ransomware
Evasion
Free subdomain host
Sender analysis
URL analysis

Description

Message from alert@dtdg.co containing links to URL shorteners or self-service creation platforms.

References

No references.

Sublime Security
Created Jun 11th, 2026 • Last updated Jun 11th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.email == "alert@dtdg.co"
and length(body.current_thread.text) < 1000
and (
  (
    any(filter(body.links,
               .parser == "hyperlink"
               and not any(.href_url.query_params_decoded["domain"],
                           strings.parse_domain(.).root_domain == "datadoghq.com"
               )
        ),
        .href_url.domain.root_domain != "datadoghq.com"
        and .href_url.domain.root_domain != "aka.ms"
    )
    and regex.icontains(body.current_thread.text,
                        'quarantine|held for.{0,10}review|secure message|voice\s?mail'
    )
  )
  or (
    ml.nlu_classifier(body.current_thread.text).language == "english"
    and any(ml.nlu_classifier(body.current_thread.text).topics,
            .confidence == "high"
            and .name == "Voicemail Call and Missed Call Notifications"
    )
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started