Low Severity

Spam: Item giveaway spam template

Labels

Spam

Image as content

Description

This detection rule matches on observed html templates impersonating multiple popular brands used to deliver spam. Often the lure leverages a theme of item giveaways or a chance to win an item for completing a survey.

References

No references.

Sublime Security

Created Jan 2nd, 2025 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (not profile.by_sender().solicited or sender.email.email == "")
// not high trust sender domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and regex.icontains(body.html.raw,
                    '<(?:div|body)[^\>]*\>\s*<a href=(?:\x22[^\>]+)\>\s*[^\n]*<br>\s*<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\><\/a>\s*<br>\s*<a href=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\><\/a>\s*<br>',
                    '<center>(?:<[^\>]+>)*<a href=(?:\x22[^\>]+)\>\s*[^\n]*<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\>\s*<br>\s*\<img src=(?:\x22[^\>]+)\><\/a>'
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.