Medium Severity
Suspicious recipient pattern and language with low reputation link to login
Description
Message contains a suspicious recipient pattern, financial or urgent language, and a suspicious link, with a login page and confusable characters or multiple redirects.
References
No references.
Sublime Security
Created Apr 30th, 2024 • Last updated Apr 30th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any(body.links,
(
(
.href_url.domain.root_domain not in $tranco_1m
and .href_url.domain.valid
and .href_url.domain.root_domain not in $org_domains
and .href_url.domain.root_domain not in $high_trust_sender_root_domains
)
or .href_url.domain.tld in $suspicious_tlds
)
and (
ml.link_analysis(.).credphish.contains_login
and (
ml.link_analysis(.).final_dom.display_text != strings.replace_confusables(ml.link_analysis(.
).final_dom.display_text
)
or length(ml.link_analysis(.).redirect_history) > 1
)
)
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("financial", "urgency")
)
and (
(
length(recipients.to) == 0
or length(recipients.bcc) > 0
or (
all(recipients.to, .email.domain.valid == false)
and all(recipients.cc, .email.domain.valid == false)
)
)
)
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
Playground
Test against your own EMLs or sample data.