• Sublime Core Feed
Low Severity

Spam: Firebase password reset from suspicious sender

Labels

Credential Phishing
Spam
Evasion
Social engineering
Header analysis
Sender analysis
URL analysis

Description

Detects Firebase password reset messages from suspicious or new senders that may be attempting to abuse the Firebase authentication service.

References

No references.

Sublime Security
Created Dec 2nd, 2025 • Last updated Dec 2nd, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.domain.root_domain == "firebaseapp.com"
and length(filter(body.links,
                  .href_url.domain.root_domain not in ("aka.ms")
                  and .href_url.path is not null
           )
) == 1
and any(body.links,
        .href_url.domain.domain == sender.email.domain.domain
        and .href_url.path == "/__/auth/action"
        and any(.href_url.query_params_decoded["mode"], . == "resetPassword")
)
and (
  (
    not profile.by_sender().solicited
    and profile.by_sender().prevalence == "new"
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
  or not headers.auth_summary.dmarc.pass
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started