• Sublime Core Feed
Low Severity

Spam: Fake photo share

Labels

Spam
Evasion
Social engineering
Content analysis
Sender analysis
URL analysis
Whois

Description

Message contains pretexting language about sharing photos ("found these photos and thought you'd like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.

References

No references.

Sublime Security
Created May 10th, 2024 • Last updated Jul 10th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(attachments) == 0
and (
  (
    (
      (
        (length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
        or (
          length(body.html.display_text) < 500
          and length(body.current_thread.text) == 0
        )
        or (length(body.current_thread.text) < 500)
      )
      and strings.ilike(subject.subject,
                        "*picture*",
                        "*photo*",
                        "*image*",
                        "*sad news*",
                        "*sad announcement*",
                        "*new pics*"
      )
    )
    or (
      (
        (
          length(body.html.display_text) < 500
          and length(body.current_thread.text) == 0
        )
        and strings.ilike(body.html.display_text,
                          "*picture*",
                          "*photo*",
                          "*image*",
                          "*sad news*",
                          "*sad announcement*",
                          "*new pics*"
        )
      )
      or (
        (length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
        and strings.ilike(body.plain.raw,
                          "*picture*",
                          "*photo*",
                          "*image*",
                          "*sad news*",
                          "*sad announcement*",
                          "*new pics*"
        )
        and not strings.icontains(body.plain.raw, "[cid:image")
      )
      or (
        length(body.current_thread.text) < 500
        and strings.ilike(body.current_thread.text,
                          "*picture*",
                          "*photo*",
                          "*image*",
                          "*sad news*",
                          "*sad announcement*",
                          "*new pics*"
        )
      )
    )
    or (
      body.plain.raw is not null
      and body.html.display_text is null
      and (
        length(body.current_thread.text) == 0
        or (
          length(body.current_thread.text) < 500
          // fake forward indicator in the plain text body
          and (
            regex.contains(body.plain.raw,
                           'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote'
            )
            or strings.icontains(body.plain.raw, 'Original Message')
          )
          and not regex.contains(body.current_thread.text,
                                 'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote'
          )
          and not strings.icontains(body.current_thread.text,
                                    'Original Message'
          )
          and not any(headers.hops, any(.fields, .name == "Resent-From"))
        )
      )
      and strings.ilike(body.plain.raw,
                        "*picture*",
                        "*photo*",
                        "*image*",
                        "*sad news*",
                        "*sad announcement*",
                        "*pics*"
      )
      and not strings.istarts_with(body.plain.raw, "[cid:image")
      and strings.icontains(subject.subject, sender.display_name)
    )
    or (
      strings.icontains(subject.subject, sender.display_name)
      and sender.email.domain.root_domain in $free_email_providers
      and length(body.links) == 2
      and length(filter(body.links, .display_text == "h")) == 1
      and length(filter(body.links, .display_url.scheme == "ttp")) == 1
    )
  )
  and length(body.links) < 5
  and any(body.links,
          (
            (
              network.whois(.href_url.domain).days_old < 30
              or not network.whois(.href_url.domain).found
              or network.whois(.href_url.domain).found is null
            )
            and .href_url.domain.root_domain != sender.email.domain.root_domain
          )
          or (
            length(.display_text) == 1
            and .href_url.domain.root_domain in ("facebook.com", "youtube.com")
          )
  )
)
and (
  (
    (
      length(headers.references) > 0
      or not any(headers.hops,
                 any(.fields, strings.ilike(.name, "In-Reply-To"))
      )
    )
    and not (
      (
        strings.istarts_with(subject.subject, "RE:")
        or strings.istarts_with(subject.subject, "R:")
        or strings.istarts_with(subject.subject, "ODG:")
        or strings.istarts_with(subject.subject, "答复:")
        or strings.istarts_with(subject.subject, "AW:")
        or strings.istarts_with(subject.subject, "TR:")
        or strings.istarts_with(subject.subject, "FWD:")
        or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
      )
    )
  )
  or length(headers.references) == 0
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started