Low Severity

Spam: Fake dating profile notification

Labels

Spam

Free email provider

Social engineering

Content analysis

Header analysis

Natural Language Understanding

Sender analysis

URL analysis

Description

Detects dating-themed messages from free email providers containing links with the recipient's email address embedded in URL parameters, combined with suspicious language or topics in the message body.

References

No references.

Sublime Security

Created Dec 3rd, 2025 • Last updated Dec 3rd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and sender.email.domain.root_domain in $free_email_providers
// not a reply
and length(headers.references) == 0
and 0 < length(distinct(body.current_thread.links, .href_url.domain.root_domain)
) <= 3
and any(body.links,
        any(.href_url.query_params_decoded["email"],
            strings.parse_email(.).email in map(recipients.to, .email.email)
        )
)
and (
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "org"
      and strings.ilike(.text, "*Date*", "*Dating*", "*Girls*", "*Love*")
  )
  or any(ml.nlu_classifier(body.current_thread.text).topics, .name == "Romance")
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.