• Sublime Core Feed
High Severity

Suspicious request for financial information

Labels

BEC/Fraud
Free email provider
Impersonation: Employee
Impersonation: VIP
Social engineering
Content analysis
Header analysis
Sender analysis

Description

Email is from a suspicious sender and contains a request for financial information, such as AR reports.

References

No references.

Sublime Security
Created Nov 14th, 2024 • Last updated Dec 6th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(attachments) <= 1
and length(recipients.to) <= 2
// suspicious sender
and (
  (
    length(headers.reply_to) > 0
    and all(headers.reply_to,
            .email.domain.root_domain != sender.email.domain.root_domain
            and .email.domain.root_domain not in $org_domains
    )
  )
  or sender.email.domain.root_domain in $free_email_providers
  or profile.by_sender().days_known < 3
)
// specific financial language
and (
  regex.icontains(subject.subject,
                  '\b(Aged|Age?ing) (Payables|Receivables|Report)',
                  'reconcill?iation (report|statement).*(issued (settlement|advice)s?)|billing records?'
  )
  or (
    regex.icontains(body.current_thread.text,
                    '\b(Aged|Age?ing) (Payables|Receivables|Report)',
                    '(updated|recent) (\bAR\b|\b\AP\b|\bAR\b \& \bAP\b|accounts?) (Payables|Receivables|Reports)',
                    '(shared?|send|forward|provide).*remittance (advice|receipts?|statements?)'
    )
    or strings.icontains(body.current_thread.text,
                         "copy of a current statement"
    )
    or (
      strings.icontains(body.current_thread.text, "please send all past due")
      and strings.icontains(body.current_thread.text, "current invoices")
    )
  )
  // suspicious link display text
  or (
    any(body.links,
        regex.icontains(.display_text,
                        '(Payment|Remittance|Settlement|Transfer) ?Batch',
        )
    )
  )
  // suspicious sender display name
  or (
    regex.icontains(sender.display_name,
                    'Accounts? (?:Payable (?:Dep(\.|t\.?|artment)|e?Receipt)|(Co[[:punct:]]?ordinator|Admin|Manager|Payee))'
    )
    // sender email listed as a recipient or recipients undisclosed/null
    and (
      (
        sender.email.email in map(recipients.to, .email.email)
        or (length(recipients.to) == 0 or length(recipients.to) is null)
      )
      // non-benign nlu intent 
      or any(ml.nlu_classifier(body.current_thread.text).intents,
             .name != "benign"
      )
    )
  )
)
// negate resume related/job inquiry outreach 
and not (
  any(ml.nlu_classifier(body.current_thread.text).topics,
      .name == "Professional and Career Development" and .confidence == "high"
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "benign" and .confidence != "low"
  )
)
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_messages_benign
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started