Low Severity

Spam: Mastercard promotional content with image-based body

Labels

Credential Phishing

Spam

Natural Language Understanding

Optical Character Recognition

Sender analysis

Description

Detects messages promoting untrustworthy Mastercard credit cards that contain both financial communications and promotional content topics, with the message body primarily consisting of image content rather than text. Excludes legitimate payment-related Mastercard communications and applies additional scrutiny to high-trust sender domains that fail DMARC authentication.

References

No references.

Sublime Security

Created Nov 5th, 2025 • Last updated Nov 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(attachments) == 0
and not subject.is_forward
and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
        .name == "Financial Communications"
)
and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
        .name == "Advertising and Promotions"
)

// mastercard mention
and strings.icontains(beta.ocr(file.message_screenshot()).text, "mastercard")
and not strings.icontains(beta.ocr(file.message_screenshot()).text,
                          "paying with mastercard"
)

// body is image
and (
  length(beta.ocr(file.message_screenshot()).text) / length(body.current_thread.text
  )
) > 10
and length(body.previous_threads) == 0

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.