Low Severity

Spam: Personalized subject and greetings via Salesforce Marketing Cloud

Labels

Description

Detects messages sent through Salesforce Marketing Cloud infrastructure that contain a fake previous email thread, where both the current and previous threads start with the same greeting pattern extracted from the subject line.

References

No references.

Sublime Security

Created Nov 3rd, 2025 • Last updated Nov 3rd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// attempt to find SF sending infra 
and (
  headers.domains[0].root_domain == "exacttarget.com"
  or strings.iends_with(headers.message_id, '.xt.local>')
  or any(headers.hops,
         any(.fields,
             .name =~ "X-SFMC-Stack"
             or (.name =~ "x-job" and regex.match(.value, '^\d+_\d+$'))
         )
  )
)
// the message contains a fake previous thread
and length(body.previous_threads) == 1

// extract the name from the subject
and any(regex.iextract(subject.base, '(?:^|: )(?P<first_name>[A-Z][a-z]+)$'),
        // the current thread starts with "Hi <extracted from subject>
        strings.istarts_with(body.current_thread.text,
                             strings.concat('Hi ', .named_groups["first_name"])
        )
        // the previous thread starts with "Hi <extracted from subject>
        and any(body.previous_threads,
                strings.istarts_with(.text,
                                     strings.concat('Hi ',
                                                    ..named_groups["first_name"]
                                     )
                )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.